If you use DropBox and, specifically, its iPhone client, then you need to be aware of how the URL feature works, or risk exposing your private files.

When you view a private file (i.e. a file not in your Public folder), you have the option to “Copy URL to Clipboard”. Normally, one would expect that to be the private URL for your private file. That is, the long URL that requires a DropBox login to view.

Not so in this case! What happens is, a short URL (using DropBox’s own URL shortening service, db.tt) is generated for the file. However, it’s a direct link to download the file. It’s not simply a shortened URL to point to the private URL for the file.

Big security risk? No, not a huge risk, but it does mean that there’s now a chance that your private file will be “brute forced”, or guessed, by someone. The private URL is as good as your password (which should be more than 6 characters! It is, right?!), but this short URL is only as good as the 6 alphanumeric characters.

Something to be aware of (particularly if you’re used to using DropBox outside of the iPhone client), rather than cause for panic!