Dropbox Bug Made Passwords Unnecessary, Left Data At Risk For Hours
Recently, hackers have been in the limelight for breaking into companies' servers to steal users' personal information. Yet Dropbox, which provides online storage, needed no help putting its users' data at risk: the company has admitted that for several hours on Sunday, an update to its code caused a security glitch that allowed people to log into any Dropbox account by typing in any password at all.
In other words, while hackers have pried open the doors to data stored by Sony, the Senate, and other high-profile organizations, Dropbox, for four hours, left the doors completely unlocked.
Between 1:54pm PT, when the code update that introduced the bug was pushed live, and 5:46pm PT, when the issues was corrected (the flaw was discovered at 5:41pm PT), virtually any Dropbox account was accessible to any other user, making any documents stored on the system potentially visible to strangers.
Dropbox acknowledged the security bug in a blog post published Monday, writing, "a very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions." Dropbox said it had contacted users whose accounts had been logged into before the authentication bug had been corrected to offer them "additional activity-related details for review."
The company offered more details on how it was addressing its misstep:
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. [...] This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
The Dropbox authentication bug comes as companies such as Apple, Google and Amazon are encouraging consumers to move more and more of their data to the cloud, storing it on remote servers that companies promise are reliable and secure. But these services are appealing only insofar as they are trustworthy and accessible, and security scares such as the one suffered by Dropbox are likely to turn users away from the notion of storing their information remotely, despite the conveniences it may offer.
Not only have companies struggled to keep their systems secure, but many have stumbled when it comes to communicating with their customers about breaches. Sony, for example, waited days before admitting that a cyber attack had put over 100 million users' information at risk.
Dropbox has not fared much better: Dropbox CTO Arash Ferdowsi told one user in an email that the password issue was the result of a "very brief glitch," but commenters on Dropbox's forums were far from relieved. "Allowing unlimited public access to everyone's private files is not a 'brief glitch', it's a 'major and total security failure,'" wrote Andrew M.
"This is completely unacceptable and warrants hourly updates until you know exactly what happened," wrote Tony W. in the comments to Ferdowsi's blog post. "When security is critical to your offering, you should be running unit tests on every deployment and additional security tests. This clearly indicates the need for re-engineering Dropbox security. As to moving forward, every single Dropbox customer should be getting an e-mail right now about this — not hearing about it from other sources or from a seemingly calm-toned blog post."
The vulnerability was first reported by researcher Christopher Soghoian, who has been a vocal critic of Dropbox security practices. Soghoian filed a complaint with the FTC alleging that the company said files stored on its system were not visible to Dropbox employees, whereas Soghoian has countered that data shows some Dropbox staff can indeed view users' documents.
Dropbox users are advised to contact email@example.com with concerns. Naked Security adds, "If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being."