Dropbox bug allowed users into accounts without a password

A serious Dropbox bug allowed anyone into another users account, without a correct password for hours yesterday.

According to Techcrunch, the security vulnerability was opened after a code update at 1:54 PM PST, allowing anybody to access someone's account with just their username credentials. The bug was later caught and fixed at 5:46 PM PST.

The security vulnerability was posted in a Pastebin account, leaving the information open to the public. Dropbox admits that there was an issue with their authentication mechanism, and that every users account was left vulnerable for close to four hours.

Dropbox did publish an apology and further explained that less than one percent of all Dropbox users logged in during that time. As a safety precaution, Dropbox ended all the sessions, logging everyone out.

Luckily for Dropbox and its user base, this information didn't fall into the wrong hands. However, a company that promotes security as one of its features (using AES-256) encryption and pushes code live without thoroughly testing and reviewing is concerning.

The email issued from Dropbox to its users:

Hi Dropboxers,

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us atsecurity@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

-Arash

Report a problem with article
Previous Story

Another Sony web site hacked

Next Story

Gaming news round up: June 20

39 Comments

Commenting is disabled on this article.

Good article - here is another Cloud Storage solution that lets your computer to fully encrypt your files before sending out:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.

Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!

https://www.sugarsync.com/referral?rf=tbtp0asbw9pt

Hope this helps someone!

only use dropbox for insensitive data. if it's stole it won't hurt my feelings, cause it's insensitive. haha.
also use sugarsync. still don't trust cloud for sensitive data, will probably never will.
but hey, i'm getting free storage, can't expect it to be perfectly secure, can ya?

Reading over thse comments, gunna give spideroak a go for a bit, seems to be a little more complex, but much more configurable.

I've continued using DB until now, as i really don't use it for any personel or sensitive files, but this is just getting ridiculous. So gunna make the switch

Happy_Camel said,
Reading over thse comments, gunna give spideroak a go for a bit, seems to be a little more complex, but much more configurable.

I've continued using DB until now, as i really don't use it for any personel or sensitive files, but this is just getting ridiculous. So gunna make the switch


lol going by the questionable logic of the article where the supposed DB "security flaw" was revealed, all of these cloud storage services are vulnerable to the same issue. As is any website or service that uses cookie-based authentication.

Might as well stop using your email, facebook if you have it, neowin, any forum, or anything that uses a cookie for auth.

cleverclogs said,
I'll stick to Skydrive & Mesh.

me too, specially since this html5 version is working amazing. and now upload limit is 100mb. so its getting better, specially since i bet it will be integrated in windows 8, as it will be in wp7 and xbox.

cleverclogs said,
I'll stick to Skydrive & Mesh.
"Hi, I'm Microsoft. You might remember me from such services has 'Hotmail - hacked by a million hackers' and 'Look! I pay people to go comment on online forums'."

Seriously, how the **** is Skydrive/Mesh/Google/Amazon/iCloud different from DropBox? What makes you trust one more than the other with your data? It's ridiculous because nobody can trust any of them. You need to be the guardian of your data.

I don't understand why anybody uses Dropbox. First a security flaw (still available) lets anyone into your files if they know your cookie (http://www.neowin.net/news/maj...ox-security-flaw-discovered), then Dropbox tried squashing an OpenSource project that took advantage of more poor security (http://www.neowin.net/news/dro...ng-down-open-source-project), and now this.... Unless you use strong encryption on everything in your DropBox, I wouldn't touch it with a 10' pole... And even then it's doubtful.

Total Dropbox fail. I was thinking about putting some semi-sensitive data on DB to have available via DB sync but I kept thinking to myself that I just don't trust DB and decided against it. This just solidifies my decision. I realize my odds were slim but I don't want to be caught in the next bug that doesn't get caught so soon. I'll still use them to sync non-sensitive data but everything else will have to be in an encrypted container before synchronizing or continue using my alternate method (albeit not as convenient as DB).

AlexMagik said,
any alternative to it?mainly the sharing folder feature is a very good one to have, plus of course the online sync...

yes, many. I'm currently switching to SpiderOak. Upto 50GB free too. Next thing for me to do is remove everything from my dropbox folder and put it into my newly created SO folder.

EspadaV8 said,

yes, many. I'm currently switching to SpiderOak. Upto 50GB free too. Next thing for me to do is remove everything from my dropbox folder and put it into my newly created SO folder.

Another vote for Spideroak too. Same space as Dropbox, more space through referrals, and the paid plans are half the price. Most of all though, the data is all encrypted client-side and sent to the spideroak servers, meaning that even they can't see your data.

This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

Please do, for the name of god please delete everything and never ever use dropbox again.

Neo003 said,

Please do, for the name of god please delete everything and never ever use dropbox again.

.. cant tell if serious

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

Cool delete all your midget porn.

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

This after they were cought lying to customers that they couldnt access our data...Dropbox isnt all roses anymore

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

+1

Not impressed with Dropbox at all. As soon as I can my data will be deleted and my account closed.

EspadaV8 said,

+1

Not impressed with Dropbox at all. As soon as I can my data will be deleted and my account closed.

So.... how long will it be before you're able to figure out how to delete your data?

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

It's not difficult to set up a fairly secure FTP or SFTP server at your house using a spare computer, if you're not uncomfortable with doing so, I recommend it. There's more than enough walkthroughs all over the internet using every piece of software under the sun for hosting your own "cloud" server. The only difference is that in the event of an emergency, you can unplug your cloud and it's instantly no longer online.

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.
**** happens! I'm not impressed as I had to read about it in another tech blog when I should really have received an email.

However, I'll give them this one - I don't sync sensitive data and don't know of another service that is as easy/nice to use as DB.

Vice said,
This makes me very very angry as a Dropbox user. In-fact I may delete my data off the service and uninstall it due to this.

How many of you guys threatening to leave are actually paying customers?

CoMMo said,

It's not difficult to set up a fairly secure FTP or SFTP server at your house using a spare computer, if you're not uncomfortable with doing so, I recommend it. There's more than enough walkthroughs all over the internet using every piece of software under the sun for hosting your own "cloud" server. The only difference is that in the event of an emergency, you can unplug your cloud and it's instantly no longer online.

Ok, i'll bite, do you have some links? I'd live to be my own cloud. But whatever I use it needs to work with windows, mac and ios. I need to be able to download on my ipad and send files to my cloud as I do with dropbox. I need to run my own email, contacts and calendar server and have it available on all devices and would like to login via webpage if I so choose. If you have some replacements then i'm very very interested.

CoMMo said,

It's not difficult to set up a fairly secure FTP or SFTP server at your house using a spare computer, if you're not uncomfortable with doing so, I recommend it. There's more than enough walkthroughs all over the internet using every piece of software under the sun for hosting your own "cloud" server. The only difference is that in the event of an emergency, you can unplug your cloud and it's instantly no longer online.

Ok, i'll bite, do you have some links? I'd live to be my own cloud. But whatever I use it needs to work with windows, mac and ios. I need to be able to download on my ipad and send files to my cloud as I do with dropbox. I need to run my own email, contacts and calendar server and have it available on all devices and would like to login via webpage if I so choose. If you have some replacements then i'm very very interested.

CoMMo said,

It's not difficult to set up a fairly secure FTP or SFTP server at your house using a spare computer, if you're not uncomfortable with doing so, I recommend it. There's more than enough walkthroughs all over the internet using every piece of software under the sun for hosting your own "cloud" server. The only difference is that in the event of an emergency, you can unplug your cloud and it's instantly no longer online.

The appeal of these services isn't what FTP provides though. Dropbox and it's alternatives offer background synchronisation, and off-site backup.

Majesticmerc said,

The appeal of these services isn't what FTP provides though. Dropbox and it's alternatives offer background synchronisation, and off-site backup.


Take a look at Windows Live Mesh (http://explore.live.com/windows-live-mesh).

* Offers immediate syncing of all computers.
* Optional syncing to cloud with web interface.
* And remote access to all your connected computers.