Dropbox Bug Leaves Accounts Open for Hours

Dropbox seems to be in a bad run recently. I wrote about Dropbox security when they rewrote some of the lines in the privacy policy pages. This got some bad publicity and even though I love Dropbox for it’s usefulness started suggesting Dropbox alternatives.

Yesterday, Dropbox suffered another serious setback. One of the code updates made had a sever bug in their authentication system, that let anyone login to someone else’s Dropbox account with or without the correct password.

For about 4 hours!


Dropbox founder Arash said in a blog post:

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions. (emphasis mine)

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

While it is commendable that Dropbox continues to admit their failings, it is rather troublesome. This issue highlights one of the shortcomings of trusting cloud services with your data.

I still maintain that you should consider again if you store sensitive data in the cloud – Dropbox or not. You could always encrypt your data and use Dropbox with Truecrypt for atleast the sensitive parts of your data.

Or you could use an online storage service like SpiderOak that encrypts your data before storing on their servers with the key only with you!

Check out here for more on Dropbox hacks. But, with solutions like portable Dropbox it is going to be hard for me to not use them for trivial stuff I don’t care if it gets out in the world.

The convenience of Dropbox far outweighs the small risk posed by security breaches like this one.

{ via Dropbox blog }

Explore Tags: , ,

Comments are closed.