Slashdot Mirror
Dropbox Password Goof Let Any Password Work For 4 Hours
tekgoblin writes "Dropbox confirmed today that for some time yesterday, any user's account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST." "Only" is relative; as reader zonky puts it, "It took around 4 hours from deployment for Dropbox to notice they'd entirely broken their authentication scheme."
This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.
Bogtha Bogtha Bogtha
Doesn't a service like that have a preview deployment where they can properly test it? Maybe some automated testing for their authentication system, which I believe is a pretty big part of what they're doing?
Alas, testing is much like security, in that many companies try to get away with as little as possible.
Password strength is great, but this does go to show that no matter how many locks you put on your front door, if someone else forgets to close it, you're still going to lose your television...
Seriously, someone needs to have their head roll. Proper authentication is a.) the first thing I learned when doing web programming b.) reasonably simple to put in place c.) so damned important that even for a small website with nothing particularly sensitive, anyone who drops the ball on it should shown the door with swiftness. I really like Dropbox, but they've had some drama lately and I think it's time to look elsewhere
1. Open source or GTFO
2. Cloud is dangerous; this is why cloud fails
3. I like dropbox
4. Stop with the dropbox spam.
I have a box sitting in a decomissioned nuclear bunker running OpenAFS and securely wrapped Samba.
We discovered this at 5:41pm and a fix was live at 5:46pm
My guess is they updated to a working version. It would be unsafe to deploy a fix in five minutes anyway. Potentially making the problem worse.
http://michaelsmith.id.au
Doesn't this mean that none of the data on their servers is truly encrypted in any way? If the programmer could put $userAuthenticated=TRUE into the code and suddenly have access to any account's data, then how, exactly, is the encryption occurring period?
Easy to criticize from the other side, but obviously change management and solid SLDC practices are not in place. I know that they're pretty much a start-up and their end-goal is a juicy IPO. They need to consider that they're a target for all the security hacks and other "cloud" providers.
All they need is to get one sensible person to review and validate the releases. They can keep their internal cowboy style, just as it hits or affects prod, then someone needs to sign it with blood.
I'm sure they will learn from this. Their rep has suffered major damage (again).
Wearing pants should always be optional.
Relax honey, I only left our baby alone in the bathtub for four hours.
Relax Mr. President, We only let our enemy control our nuclear arsenal for four hours
Relax Japan, we have enough battery backup for the cooling system for four hours
Relax Gulf Residents, it's only been spilling oil for four hours
Relax Public, the serial killer has only been escaped for four hours
Relax Columbine Parents, the killing spree and stand off only lasted for four hours
Not only was there a serious security issue here, but Dropbox customers are having to find out about this through blogs. Dropbox has yet to email its users about this issue. It claims on its blog that users who logged in during this time have been notified. I logged in during this time, and have received no notice.
I am now leaving Dropbox. I need to review Wuala and Spideroak to see if they meet my needs, but I can safely say that this event and Dropbox's earlier behavior has demonstrated to me that they do not take the security and privacy of their customers seriously.
Was there any sort of check down after-the-fact to ensure that improper logins were terminated / any changes rolled back?
Somehow with a major break-in or other fault appearing virtually every day in the news, I am beginning to think large operations just don't have the required level of professionalism and funding of a proper testing environment (software & hardware) to get things right before they roll out the code publicly.
The prior news story which made me roll my eyes was the airline which lost use of some of its computers and stranded passengers.
I for one is dropping Dropbox.
5. Let me summarise what comments will be posted.
I substitute a different one that, if one were to be uncharitable in a particular direction, could appear on your list:
I don't trust freemium services like this with important things.
If I'm trusting my private data to a company to store, or anything else equally important, I have no problem paying for it, and I don't want to share the service with a trillion and one freeloaders on the Internet that are going to divert my subscription fees away from... well, making sure stuff like this doesn't make it into production. Something like Carbonite or Mobile Me (I know, put the pitchforks down) depends on its paying customers to stay and keep paying. Freemium depends on enticing its free customers into becoming paying customers. These are different priorities.
I do have to admit that I have a LastPass account, but I do pay for the premium subscription, and I only signed up after doing a bunch of research; I'm confident that they've done things right as much as possible. With LastPass, I'm the weakest point in the chain (social engineering, weak master passwords, and physical access to local machines are the easy targets over trying to brute force the encrypted blob LP's servers receive when my vault syncs).
Disclaimer: I have no affiliation with Carbonite, Apple, or LastPass, okay?
6. Corrections and additions to other peoples comments
"Hi, welcome to Dropbox! Please follow the honor system, and do not be nosing about in others' things, or you'll have to sit in the Time-Out Chair."
Seriously?
[On another note: This should never be any worse than losing a thumb drive. If folks are using their own encryption on their important stuff, and blow the dust off their backups from time to time, it's no big deal. Unless you're one of those folks who doesn't do those things, in which case you should also go have a Time-Out.]
Kid-proof tablet..
I use DropBox, but I don't trust it to actually be secure. So I use it as a publishing tool and offsite backup for public things. All the stuff I have on there is essentially public - a bunch of images I wanted to share, and a few tarballs of GPL'ed source code to a game I'm writing. I have copies on my local machine, so Dropbox could collapse into a black hole without me losing any data. It's all stuff I want people to see, so the privacy and security of the account aren't of any concern.
Stuff like this have essentially proven that I was correct in not trusting Dropbox. It's a great tool - it's the easiest way to make 50 images publicly-viewable, and it's a good simple way to mirror some big file - but I don't think it's yet secure enough to be as safe as local data storage.
It wasn't strictly a bug in the code, they just accidentally put the FBI version up on their main web servers instead of just on the secret back door servers that all cloud based services have for government access.
Right now I'm imagining Dropbox being like a really small company, with a PHB manager, and all the code being worked on by one overworked and underpaid guy fresh out of college who has to do all the testing himself, while the PHB is constantly breathing down his neck for him to finish. These are the places that usually create such epic screwups.
For a moment I thought of Citibank being the same way after their URL hack came to light (except with their programmer being terribly incompetent on top of overworked and underpaid), but they have their own skyscraper and everything so I really can't maintain that idea.
"When information is power, privacy is freedom" - Jah-Wren Ryel
How can you fuck up something worse than a system devised back when nobody on the net really cared about security?
I frequently see PST mistakenly being used when PDT is in effect. That is probably what happened here too.
If you have created software that has dropbox capability, can you please add other storage providers so that I can switch away from dropbox? Please?
I have been involved with the installation of a lot of software over the years. Over the last few years, 3 or 4 maybe, I've seen this type of thing more and more.
It doesn't seem like anyone properly tests anything anymore. They just push it out the door and hope that no one complains. I wish these companies would stop buying everyone $5000 macs to code on and put that money to better use hiring actual software testers.
YOU CANNOT ACCURATELY PROOF YOUR OWN WRITING!
this goes for coding to.
All the worthless and mostly meaningless crap I had in my dropbox was available to the world for four hours. Poor world. I'm sorry.
Seriously. It's a cloud based file-syncing service any "security" you imagine files have in there inherently is entirely fictional.
www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
Funding? It's the simple "Schneier principle".
As long as companies are not really responsible (financially) for any of their security failures, they will not invest in security.
No cost? No risk.
slashdot should allow modding sigs up !
The Cloud - because you don't care if your apps and data are up in the air.
I don't test my code. But when I do, I do it in Production,
I only post comments when someone on the internet is wrong.
Somehow with a major break-in or other fault appearing virtually every day in the news, I am beginning to think large operations just don't have the required level of professionalism and funding of a proper testing environment (software & hardware) to get things right before they roll out the code publicly.
The prior news story which made me roll my eyes was the airline which lost use of some of its computers and stranded passengers.
Alternately, it might be the case that getting security right is actually really, really hard when you have teams of very smart people dedicated to breaking it. Which isn't what happened in this case, but could just as well have been.
There's a reason everyone bitches about having to jump through hoops to pass, for example, a PCI Level 1 security audit. There's a reason that in most breaches its found out that there were practices that violated their PCI (or HIPPA, or insert-standard-here) customary and expected practices. We know how to get a really good head start on keeping systems secure, but it takes a lot of time, money, and will to succeed.
You're special forces then? That's great! I just love your olympics!
Well, I guess it's good that over the weekend I wrapped everything I had on Dropbox in an AES+Twofish TrueCrypt container.
You wreaked havoc for me, Dropbox.
This is a major booboo.
MY GMAIL HAS BEEN SPEWING SPAMS TO ALL CONTACTS YESTERDAY until this morning.
I almost got into a fight when I traced the IP address and found the owner.
I sill haven't found the hacker, but this all happened thanks to you!
You can trust the cloud when the servers are overseen by people who never make mistakes, when the hardware runs perfectly all the time, and when all other human beings agree to not screw with the system.
If I'm trusting my private data to a company to store
Then we can safely dismiss your comments as the ravings of a fool.
If you want to see what all these companies think of your private data, look at their SLAs. Do they offer anything more than subscription fee back in case of leak or loss?
Wee! *marketing manager jumps off building wearing a cape*
On a semi related note, I read this on boingboing yesterday about 24 hours ago, slashdot seems to be slipping.
I'm always right, except when i'm not.
Well, I guess this definitely proves that all of their talk about encryption is bunk. Obviously if you could log in and access files using the wrong password, whatever "encryption" they're using to store the files on their end doesn't actually encrypt anything.
Remember when people learned that their "encryption" of data wasn't really encryption but merely a series of permission filters giving people either "user" access or "admin" access to your files?
Who needs to worry about encryption or permissions to your files when there's absolutely no form of authentication at all?!
Very strange way to solve their encryption issues if you ask me.... but I guess it's no longer an issue.
I never used dropbox for anything more than a handful spreadsheets I had to work with in school, because I never entrusted the "cloud" with my sensitive data. This is why iFolder (and now SparkleShare) are so promising, and why I keep using Unison in the meantime. The big question I have to ask today is: were the dropbox user account passwords accessible, or was it "just" the files? I need to know if I have to change the dozens of websites that use that particular password *again* (remember the Gawker password dump?).
I have been involved with the installation of a lot of software over the years. Over the last few years, 3 or 4 maybe, I've seen this type of thing more and more. It doesn't seem like anyone properly tests anything anymore. They just push it out the door and hope that no one complains. I wish these companies would stop buying everyone $5000 macs to code on and put that money to better use hiring actual software testers. YOU CANNOT ACCURATELY PROOF YOUR OWN WRITING! this goes for coding to.
A lot of people are saying you shouldn't keep anything sensitive in the cloud but having your personal data exposed isn't the only problem here. Dropbox automatically synchronizes to your PC so during this period anyone could have pushed any file out to your PC without your knowledge --maybe substitute an EXE with a virus, or replace your family photos with child porn.
What about if the company goes bankrupt? SLAs mean zilch then, and all privately stored data can be put on a torrent for anyone to download, and there is nothing anyone can do to stop that.
I'll be blunt: I hate calling for regulation. However, here is my proposal:
Have a status of "trusted storage provider" which is a certificate by the US government and led by a body. Essentially for a business to get this status, they pay a deposit, submit to security checks (physical, network based, etc.), and have a fund to deal with the destruction of all data stored with them should they go bankrupt or cease operations. The destruction would be done by an independent party who would show certificates of the destruction, and have insurance so if data wasn't really destroyed, people can file claims.
This way, either the data will be stored as per a SLA, or it will be destroyed.
bugs will happen, all the time. The problem here is that there are processes missing, management has failed. Your ideas of software development need to change, it is not a one-man-band.
You forgot the subcategory of
3. I like dropbox
3.a Use my referal code because I am too cheep to pay for real service.
...you have teams of very smart people dedicated to breaking it. Which isn't what happened in this case, ...
Are you implying thet DropBox developers aren't smart? ;-)
What about if the company goes bankrupt? SLAs mean zilch then, and all privately stored data can be put on a torrent for anyone to download, and there is nothing anyone can do to stop that.
Bankruptcy DOES NOT WORK THAT WAY. Doing that would expose the people doing that to lawsuits.
I like you idea, but would prefer stronger labeling laws and enforcement to more regulation. This is because the regulation would mean nothing eventually.
Use dropbox like I do, in a secure fashion. I have a truecrypt container that I mount from inside dropbox, that way my data is safe to their and NSA's spying!
https://www.dropbox.com/help/27
=== start ===
How secure is Dropbox?
Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military.
Dropbox takes the security of your files and of our software very seriously. We use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure. Your files are backed-up, stored securely, and password-protected.
Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder. Everything in your Public folder is, by definition, accessible to anyone.
Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.
=== end ===
Comment removed based on user account deletion
Comment removed based on user account deletion
What lawsuits?
Take an average server. It belongs to the cloud provider, and clients store their data using the server as a head, and the backend SAN for the actual storage. The cloud provider tanks. The server and its SAN are auctioned off because the company is in receivership.
Mallory, the purchaser of the machine finds that there is a bunch of stuff including PII on it. He doesn't like the old company, so creates a torrent, and seeds it.
Can you sue Mallory? Nope. He just bought some computer hardware that happened to have some data on it and decided to do what he wanted. Copyright violation? Nope. The data was stored at the permission of the cloud computing provider and client.
Can you sue the cloud provider? Stand in line behind the big boys who already have the auction proceeds going to them.
This is where the government needs to step in and offer guarentees for a certain status, with the responsibilities. Want the "secure cloud provider" certification? Put some money in escrow so data can be destroyed under the eye of a Federal agency or a contractor. Combine this with a true SLA that is enforced not just with a piece of paper, but underwritten by an insurance firm, similar to how people are surety bonded.
Then, cloud computing might be a decently secure alternative to the age old tape rotations and the Iron Mountain van visiting on its usual schedule.
You rely on someone else....for security? Has no one told you that if you're not in charge of your own security, then you essentially have none???
The machines are wiped before auction, otherwise the auction company and the seller are on the hook. Used hardware is pretty common in the server room.
Goof? Really? If this were Sony, we'd be calling for their heads on a platter because our private data was potentially breached! A goof is when I forget the parking brake on my car and it rolls into another car in the parking lot. A goof is when you take a test but forget to check that backside for questions. Ridiculous lack of QA thereby putting information (whether you should trust the cloud or not) at risk is unacceptable, especially given the 4 hours it took to recover. Note: I hate Sony as much as the rest of /., but like equality.
Comment removed based on user account deletion
Comment removed based on user account deletion
I wondered how "Mad Dog 20/20" got on our grocery list.
#DeleteChrome
A look at the CTO's LinkedIn page shows him with a jester hat.
http://www.linkedin.com/in/arashferdowsi
How fitting.
Comment removed based on user account deletion
Comment removed based on user account deletion
My best guess is the feds took the opportunity to check dropbox.
Good article – here is another cloud storage solution that is fully encrypted:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.
Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!
https://www.sugarsync.com/referral?rf=tbtp0asbw9pt
Hope it helps someone.
...at least when this happened, I got an email within 24 hours... not DAYS LATER like some other **coughSONYcough** company finally got around to sending...
Stone
Suddenly I no longer feel like an overly philosophical and paranoid computer geek for refusing to put anything remotely important in my Dropbox account. I was really begining to feel down about myself, that I was overly protective of my privacy and too skeptical of Dropbox. Finally, I can obstain from uploading my files to Dropbox IN PEACE! I'm a new man because of this!
sieg heil!
Twitter: @dainsanefh
Bow down to the cloud, kiddies. This is your future!
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Good article – here is another Cloud Storage solution that lets your computer to fully encrypt your files before sending out:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.
Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!
https://www.sugarsync.com/referral?rf=tbtp0asbw9pt
Hope this helps someone!