Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Password Goof Let Any Password Work For 4 Hours

Posted by timothy on from the you'll-find-we're-very-open-minded. dept.

tekgoblin writes "Dropbox confirmed today that for some time yesterday, any user's account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST." "Only" is relative; as reader zonky puts it, "It took around 4 hours from deployment for Dropbox to notice they'd entirely broken their authentication scheme."

11 of 185 comments (clear)

  1. Regression testing by Bogtha · · Score: 4, Informative

    This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.

    --
    Bogtha Bogtha Bogtha
    1. Re:Regression testing by buchner.johannes · · Score: 4, Funny

      This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.

      That would be so oldschool. We do agile development now, and the user is the tester once the unit-tests pass.

      </sarcasm>

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Regression testing by Richard_at_work · · Score: 5, Informative

      No, they have never claimed that the password was involved in the encryption they use - they use one single encryption key for all data stored. Their terms of service did say that your data is inaccessible without your password, but this is nothing more than permissions rather than per-account encryption.

      There has been lots of valid shit thrown around about Dropbox over the recent weeks, but please do try and get stuff right before you complain.

    3. Re:Regression testing by Nikker · · Score: 5, Funny

      This is Slashdot, the start tag was posted in 1999.

      --
      A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
    4. Re:Regression testing by Richard_at_work · · Score: 5, Informative

      Again, no - its been well documented that Dropbox does global deduplication and single instance storage, across all data in their database. That would not work anywhere near as well for them if each account used its own encryption key - until they turned it off recently due to abuse, you could shove an Ubuntu iso into your local Dropbox and have it "synced" 100% in seconds, as the Dropbox servers realise that they already have it in their global pool, and simply tell your client not to upload it.

      So yes, they use a single key.

    5. Re:Regression testing by gstoddart · · Score: 4, Insightful

      Well, gee, that makes me feel good about their security...

      I've never treated Dropbox like it's secure. It's convenient for copying around files, but I wouldn't use it for anything sensitive.

      I think if you're aware of the fact that it's only *slightly* more secure than a public folder on a shared network and use it accordingly, you can still make use of Dropbox as a tool. Although, admittedly, my usage of it has diminished since I initially got it.

      --
      Lost at C:>. Found at C.
  2. Relax, it was only 4 hours. by Combatso · · Score: 5, Funny

    Relax honey, I only left our baby alone in the bathtub for four hours.
    Relax Mr. President, We only let our enemy control our nuclear arsenal for four hours
    Relax Japan, we have enough battery backup for the cooling system for four hours
    Relax Gulf Residents, it's only been spilling oil for four hours
    Relax Public, the serial killer has only been escaped for four hours
    Relax Columbine Parents, the killing spree and stand off only lasted for four hours

    1. Re:Relax, it was only 4 hours. by xtracto · · Score: 5, Interesting

      but fortunately there is no evidence of any unauthorized access.

      Of course not, all the access where authorized by the faulty authorization system.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
  3. Dropbox's followup is no good by Wuhao · · Score: 3, Insightful

    Not only was there a serious security issue here, but Dropbox customers are having to find out about this through blogs. Dropbox has yet to email its users about this issue. It claims on its blog that users who logged in during this time have been notified. I logged in during this time, and have received no notice.

    I am now leaving Dropbox. I need to review Wuala and Spideroak to see if they meet my needs, but I can safely say that this event and Dropbox's earlier behavior has demonstrated to me that they do not take the security and privacy of their customers seriously.

  4. The Most Interesting Developer In The World by Kozz · · Score: 5, Funny

    I don't test my code. But when I do, I do it in Production,

    --
    I only post comments when someone on the internet is wrong.
  5. wrong kind of thinking by rubycodez · · Score: 3, Insightful

    bugs will happen, all the time. The problem here is that there are processes missing, management has failed. Your ideas of software development need to change, it is not a one-man-band.