Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Password Goof Let Any Password Work For 4 Hours

Posted by timothy on from the you'll-find-we're-very-open-minded. dept.

tekgoblin writes "Dropbox confirmed today that for some time yesterday, any user's account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST." "Only" is relative; as reader zonky puts it, "It took around 4 hours from deployment for Dropbox to notice they'd entirely broken their authentication scheme."

34 of 185 comments (clear)

  1. Regression testing by Bogtha · · Score: 4, Informative

    This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.

    --
    Bogtha Bogtha Bogtha
    1. Re:Regression testing by buchner.johannes · · Score: 4, Funny

      This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.

      That would be so oldschool. We do agile development now, and the user is the tester once the unit-tests pass.

      </sarcasm>

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Regression testing by Richard_at_work · · Score: 5, Informative

      No, they have never claimed that the password was involved in the encryption they use - they use one single encryption key for all data stored. Their terms of service did say that your data is inaccessible without your password, but this is nothing more than permissions rather than per-account encryption.

      There has been lots of valid shit thrown around about Dropbox over the recent weeks, but please do try and get stuff right before you complain.

    3. Re:Regression testing by Nikker · · Score: 5, Funny

      This is Slashdot, the start tag was posted in 1999.

      --
      A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
    4. Re:Regression testing by Lieutenant_Dan · · Score: 2

      Their terms of service did say that your data is inaccessible without your password, but this is nothing more than permissions rather than per-account encryption.

      Or it could be that a personal encryption key is stored in their user profile database. So all data is still uniquely encrypted per user, but access to the key is available to the admins (and as you indicated limited by process/permissions).

      I would hope that every person's data is not encrypted with the same key. If that's the case, then they may as well close shop now.

      --
      Wearing pants should always be optional.
    5. Re:Regression testing by Richard_at_work · · Score: 5, Informative

      Again, no - its been well documented that Dropbox does global deduplication and single instance storage, across all data in their database. That would not work anywhere near as well for them if each account used its own encryption key - until they turned it off recently due to abuse, you could shove an Ubuntu iso into your local Dropbox and have it "synced" 100% in seconds, as the Dropbox servers realise that they already have it in their global pool, and simply tell your client not to upload it.

      So yes, they use a single key.

    6. Re:Regression testing by gstoddart · · Score: 4, Insightful

      Well, gee, that makes me feel good about their security...

      I've never treated Dropbox like it's secure. It's convenient for copying around files, but I wouldn't use it for anything sensitive.

      I think if you're aware of the fact that it's only *slightly* more secure than a public folder on a shared network and use it accordingly, you can still make use of Dropbox as a tool. Although, admittedly, my usage of it has diminished since I initially got it.

      --
      Lost at C:>. Found at C.
    7. Re:Regression testing by Eivind · · Score: 2

      It should be possible to do global deduplication while still using encryption. You'd need to store (unencrypted) hashes of the files stored though.

      What you typically do is encrypt a block with a random session-key, then you encrypt the key with the users public key, and store both. (the encrypted block, and the encrypted session-key), the legitimate user then retrieves the encrypted session-key, decrypts it with his private key and uses that to decrypt the encrypted block.

      With this scheme, there's nothing stopping you from storing the session-key encrypted with *both* (or more than 2) private-keys.

      This is the same thing GPG and friends do if you specify 2 or more recipients for the same message. They encrypt the actual message only once, with a one-time random key. Then they encrypt that *key* once for each recipient. This saves space 'cos the key is typically much smaller than the message.

      You'd need the hashes unencrypted though, to be able to tell that two people have the same files -- even if you don't know what's in those files. And this does, offcourse, leak *some* of their privacy. (one could, for example answer the question: does person X have file Y, yes or no ?)

    8. Re:Regression testing by h4rr4r · · Score: 2

      The processing power is not the issue, the storage is. They can't do global dedupe on the block level if they use per user encryption.

  2. How about testing? by mcvos · · Score: 2

    Doesn't a service like that have a preview deployment where they can properly test it? Maybe some automated testing for their authentication system, which I believe is a pretty big part of what they're doing?

    Alas, testing is much like security, in that many companies try to get away with as little as possible.

    1. Re:How about testing? by Chris+Mattern · · Score: 2

      Automated authentication testing that doesn't test using the wrong password?? Must have been brought to you by people who took the short bus to Q/A training...

  3. Fire the programmers please by james_van · · Score: 2, Insightful

    Seriously, someone needs to have their head roll. Proper authentication is a.) the first thing I learned when doing web programming b.) reasonably simple to put in place c.) so damned important that even for a small website with nothing particularly sensitive, anyone who drops the ball on it should shown the door with swiftness. I really like Dropbox, but they've had some drama lately and I think it's time to look elsewhere

    1. Re:Fire the programmers please by Lieutenant_Dan · · Score: 2

      Chances are they enabled a function to impersonate any users in order to validate that it was working properly without having to know someone's pwd. Problem obviously is that they kept the original config. Deployment team, testers or devs probably share the problem equally. Most likely someone forgot to document all the steps including re-enabling the authentication piece.

      --
      Wearing pants should always be optional.
  4. Relax, it was only 4 hours. by Combatso · · Score: 5, Funny

    Relax honey, I only left our baby alone in the bathtub for four hours.
    Relax Mr. President, We only let our enemy control our nuclear arsenal for four hours
    Relax Japan, we have enough battery backup for the cooling system for four hours
    Relax Gulf Residents, it's only been spilling oil for four hours
    Relax Public, the serial killer has only been escaped for four hours
    Relax Columbine Parents, the killing spree and stand off only lasted for four hours

    1. Re:Relax, it was only 4 hours. by SJHillman · · Score: 2

      Relax Mr. Sys Admin, the hacker has only been downloading your database for four hours.
      Relax Mr. Homeowner, your house has only been burning for four hours.
      Relax Facebook users, your information has only been sold off for four hours... errr... years.
      Relax Mr. Necrophiliac, she's only been dead for four hours.

    2. Re:Relax, it was only 4 hours. by xtracto · · Score: 5, Interesting

      but fortunately there is no evidence of any unauthorized access.

      Of course not, all the access where authorized by the faulty authorization system.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
  5. Dropbox's followup is no good by Wuhao · · Score: 3, Insightful

    Not only was there a serious security issue here, but Dropbox customers are having to find out about this through blogs. Dropbox has yet to email its users about this issue. It claims on its blog that users who logged in during this time have been notified. I logged in during this time, and have received no notice.

    I am now leaving Dropbox. I need to review Wuala and Spideroak to see if they meet my needs, but I can safely say that this event and Dropbox's earlier behavior has demonstrated to me that they do not take the security and privacy of their customers seriously.

  6. The Most Interesting Developer In The World by Kozz · · Score: 5, Funny

    I don't test my code. But when I do, I do it in Production,

    --
    I only post comments when someone on the internet is wrong.
  7. Re:Let me summarize every comment that will appear by h4rr4r · · Score: 2

    If I'm trusting my private data to a company to store

    Then we can safely dismiss your comments as the ravings of a fool.

    If you want to see what all these companies think of your private data, look at their SLAs. Do they offer anything more than subscription fee back in case of leak or loss?

  8. Data exposure isn't the only consequence. by EvilSpudBoy · · Score: 2

    A lot of people are saying you shouldn't keep anything sensitive in the cloud but having your personal data exposed isn't the only problem here. Dropbox automatically synchronizes to your PC so during this period anyone could have pushed any file out to your PC without your knowledge --maybe substitute an EXE with a virus, or replace your family photos with child porn.

  9. wrong kind of thinking by rubycodez · · Score: 3, Insightful

    bugs will happen, all the time. The problem here is that there are processes missing, management has failed. Your ideas of software development need to change, it is not a one-man-band.

  10. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    wooohaaaaaa

    --
    Twitter: @dainsanefh
  11. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    gv dsgasdgsadg

    --
    Twitter: @dainsanefh
  12. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    slowdown cowboy

    --
    Twitter: @dainsanefh
  13. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    xcv xbdf g agsdgsdah

    --
    Twitter: @dainsanefh
  14. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    how many more?

    --
    Twitter: @dainsanefh
  15. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    come on there are more?

    --
    Twitter: @dainsanefh
  16. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    fdshg hdfhsdf

    --
    Twitter: @dainsanefh
  17. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    vbc xvbndfgr reyher trhfssd

    --
    Twitter: @dainsanefh
  18. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    Itsuka kitto anata no yume ga kanau made
    Mitsumeteitai zutto

    Fensu koshi itsudemo kaze ni yureru sebangou
    Dare yori mo anata no koe ga hibiiteru
    Natsu no hizashi no naka hi ni yaketa yokogao
    Genki ni waratteru anata wo mitsumeteta

    Dare mo inai gurando hitori anata no
    Yume wo kanjiteita no

    Ganbare yume ni mukatte hashiritsuzukeru
    Anata dake ni eeru wo okuritai itsudemo
    Gooru ha tooi keredo kujikenai de
    Mada minu hi ni deau made

    Anata no yunihoomu yuuhi ni akaku somaru
    Ashita mo aeru noni naze ka sabishikute
    Muchuu de oikakeru massuguna hitomi ni
    Deatta ano hi kara anata ni koi wo shita

    Ganbare yume ni mukatte hashiritsuzukeru
    Anata dake ni eeru wo okuritai itsudemo
    Gooru ha tooi keredo kujikenai de
    Mada minu hi ni deau made

    Subete ga umaku ikanai tsurai toki demo
    Sono mama no anata de ite kawaranai de
    Anata ni koishite hajimete mitsukerareta
    Yuuki wo ima todokeru kara

    --
    Twitter: @dainsanefh
  19. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    cxv fte wrtgrea trweyg ehu rtujrtuj

    --
    Twitter: @dainsanefh
  20. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    98reu t3489utg43j pgyerh p8hyqeryh

    --
    Twitter: @dainsanefh
  21. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    vcbc htyhrtsh

    --
    Twitter: @dainsanefh
  22. Re:sad day for interwebz freedom fighterz by Dainsanefh · · Score: 2

    bvnv nvvc rfsg bhehy54eyh

    --
    Twitter: @dainsanefh