Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Authentication: Insecure By Design

Posted by Soulskill on from the drag-and-drop-and-hey-stop-that dept.

An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."

5 of 168 comments (clear)

  1. Re:Dropbox by Hijacked+Public · · Score: 5, Insightful

    There is a significant difference between a service I find useful for embedding photos on web forums, or similar things, and one I'd store my plain text tax forms on.

    --
    "Sacrifice for the good of The State" - The State
  2. Re:Dropbox by Wrath0fb0b · · Score: 3, Insightful

    Replying to undue accidental 'redundant' instead of 'informative'.

    Doh. Also poster is right. Different data have different security requirements -- think about that for a while.

  3. Re:Slashdotted before the comments even started? by hedwards · · Score: 3, Insightful

    I'm always shocked by how much load is put on a server by people not reading the article.

  4. the Cloud is ... by Tumbleweed · · Score: 3, Insightful

    Someone else's computer

  5. Re:Dropbox IPS sig from EmergingThreats by slyborg · · Score: 3, Insightful

    Maybe you should find out what people are using the DB access for first...at my company, we use it as a working drop for communicating external documents with outside vendors, more convenient than shoveling everything around via email.

    My old joke about the ideal network for the network admin is a single computer in a bank vault, unplugged. It's unfortunate that the job basically is all downside in terms of incidents, but ultimately the job should still be to *facilitate* employee access to company data, customers, and each other. Otherwise you are actively impeding the profitability of your company.