Dropbox bug let users access accounts without a password

By on June 21, 2011, 7:16 PM

Dropbox yesterday announced the discovery of a bug that disabled the company's authentication mechanism. The flaw was introduced in a software update issued over the weekend and allowed accounts to be accessed with any string of text for a password. All accounts were essentially wide open for nearly four hours between 1:54 and 5:41PM Pacific time on Sunday.

Dropbox hasn't revealed precisely how many accounts might have been accessed illegitimately, but the company said less than 1% of its 25 million users logged in during the affected window. We imagine very few of those 250,000 were aware they could've pillaged another person's account, and even fewer would've had the moral ineptitude required to act on that realization.

The company has launched an investigation to pinpoint unusual activity. All users who logged on while the glitch was live should have received an email and you can contact the company (support@dropbox.com) if you sense something fishy has happened with your account. Naturally, Dropbox has apologized about the slipup, but users don't seem too forgiving.

The very first comment to the company's announcement said the incident was "unacceptable" and many subsequent messages carry a similar tone. We think users might have been more accepting of the blunder if it occurred this time last year, but considering the recent rash of cyber attacks, people are expectedly (and rightfully) touchy about their personal security online.

Dropbox is a cloud-based service that allows users to store files online and seamlessly share them across various Internet-connected devices. Unsurprisingly, many users rely on the service to store their sensitive documents. One commenter notes that their Dropbox account contains tax returns. It's unclear if Dropbox will compensate affected users with free premium service.




User Comments: 5

Got something to say? Post a comment
TJGeezer said:

Innocent glitch with a competent investigation being conducted afterward? I find it forgivable. But it underscores why many companies shy away from the cloud despite all the promotion and hoopla. Same problem many companies have had with software as a remote service. Not that most companies are masters of security, but at least they do control their own firewalls, or try to.

IIRC, Dropbox doesn't provide SSL connections or encrypted storage. Keeping sensitive data there doesn't make sense, though I do use Dropbox as a convenience all the time. It's fast, it's convenient and it's automatic. If I also want security, I'll store a small TrueCrypt virtual disk there. It's not so very difficult.

Staff
Rick Rick, TechSpot Staff, said:

TJGeezer said:

IIRC, Dropbox doesn't provide SSL connections or encrypted storage.

Dropbox does provide SSL connections and file encryption on the server as well. Maybe when the service was first introduced it didn't though, but it has for as long as I can remember (at least a couple of years ago).

However, I think we can all agree that you should NOT be putting sensitive data on Dropbox.

Guest said:

This is the problem with "the cloud". If you want to keeps things secure keep them under your own supervision and/or keep them encrypted.

Guest said:

Hey, TechSpot, it's time for another article telling how great DropBox is and how to use its features. Send them an e-mail. Maybe they will accept an offer to deal with.

Like the previous time, when another security related problem of DropBox came up. Treat us like we're fools, again.

Scott8090 said:

Gezz harse on companies much? No network is fully secure. A flaw always exists. Always a possiblily of a breach. With IT staffs understaffed and under budgeted it only adds to the problem. So what a slip up, their a company its going to happen sometime gezz. To not forgive a company security slip up only shows the lack of knowledge in regards to network security. Its not nice that it happened but its damn good Dropbox covered their users and their name. Look at sony anyone? All user names on both psn network and sonypictures.com were unencrpyted...now thats something to complain about.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.