We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
I use File Request to help clients send sensitive information to me securely.
To improve security and their confidence, it would be nice if they could verify that the File Request is going to me, not someone spoofing me.
To do that, you could perhaps display the requester's email address on the File Request. This way, the file sender can easily see who will receive their file, and confirm it is the person they are trying to send it to.
- Megan
Dropbox Staff
Status changed:Gathering SupporttoClosed - MeganStatus changed:NewtoGathering Support
Thanks so much for replying, Walter!
I don't think that would address the concern, which is email spoofing.
We work in the financial services industry and attackers routinely spoof our emails. That is, they send emails to our clients that appear to be from us, but aren't. A clever attacker could easily create a Dropbox account and say their name is my name, then create a File Request, and then send a spoofed email to my client requesting sensitive information via File Request. The victim would be totally fooled because the Dropbox file request does not say who is receiving the files -- other than their name, which is not unique of course, and anyone can fake besides.
One possibly simple solution is for the Dropbox File Request page to display the email address associated with the Dropbox account that will receive the file. For example, "John removed is requesting a file."
- Walter
Hey frogandtoad - thanks for sharing your thoughts on this with us.
I'm not sure if you have tried this yet, but have you considered copying the file request link and sending it via email?
Let us know if that would work for you!
