Response from MyDropBox

I just received this response from Max Lytvyn at MyDropBox:

I’m sorry for the delayed response. I met with the development team regarding the issue you mentioned. It turned out this was a known issue since this past fall, and we had a fix ready. The fix was not deployed not to introduce any changes to the system during the peak usage time. Now, that the peak season is over, we deployed the fix and the exploit no longer exists.

Unfortunately, the flaw is still present and active. Max has been informed. More soon…

..:: Update: December 15, 2007

After I provided Max a link to an example of the flaw (without expiring links), he wrote back:

The link that you provided is from a different product (MyDropBox individual, which is completely different from MyDropBox 2.0 provided to ALL institutional clients). This product has permanent links to reports, as these links are delivered to users via email, and thus should not expire. There is no fix for this particular version of the product at this point, but this product is used by less than 3% of our clients. We will develop a fix for it before the beginning of the next semester.