Dropbox bug allowed users into accounts without a password

A serious Dropbox bug allowed anyone into another users account, without a correct password for hours yesterday.

According to Techcrunch, the security vulnerability was opened after a code update at 1:54 PM PST, allowing anybody to access someone's account with just their username credentials. The bug was later caught and fixed at 5:46 PM PST.

The security vulnerability was posted in a Pastebin account, leaving the information open to the public. Dropbox admits that there was an issue with their authentication mechanism, and that every users account was left vulnerable for close to four hours.

Dropbox did publish an apology and further explained that less than one percent of all Dropbox users logged in during that time. As a safety precaution, Dropbox ended all the sessions, logging everyone out.

Luckily for Dropbox and its user base, this information didn't fall into the wrong hands. However, a company that promotes security as one of its features (using AES-256) encryption and pushes code live without thoroughly testing and reviewing is concerning.

The email issued from Dropbox to its users:

Hi Dropboxers,

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us atsecurity@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

-Arash

Previous Story
Another Sony web site hacked
Next Story
Gaming news round up: June 20