Dropbox Authentication Bug Exposes Accounts for Hours

[Jack]

Dropbox is going through a security firestorm after it accidentally introduced a bug that allowed users to access other people's accounts without a password.

"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm," the company explains on its blog.

According to Dropbox co-founder and CTO Arash Ferdowsi, less than one percent of the service's users logged in during that period of time.

As soon as the problem was discovered all active sessions were terminated in order to prevent any abuse. The company is analyzing the logs to determine if any accounts were accessed without authorization and plans to notify their owners.

Considering that Dropbox has over 25 million users, the number of sessions to be investigated are between 125,000 (0.5%) and 250,000 (1%). However, this choice of only notifying affected users backfired as people learned about the compromise from news sites.

Understandably, this didn't make them very happy and they've taken to the forum to express their disapproval of how the situation was handled.

More details - link

 

[Ink]

Is it not possible to test the update before public release?

 

[TKFlight]

This proves that your data is never 100% safe.

 

[Guest28]

Yep nothing is 100% safe but at least this data breach has not happened as often as sony's.

 

[new user]

Which is why I use Wuala. My data is encrypted on MY MACHINE. Not even Wuala employees have access to my password or Data. The downside of this; if you forget your password, well thats just too bad.

 

[Vextor]

Which is why I use Wuala. My data is encrypted on MY MACHINE. Not even Wuala employees have access to my password or Data. The downside of this; if you forget your password, well thats just too bad.

Very good Wuala, but it can be annoying, the fact you can't recover your password

 

[TKFlight]

I've gave up on Dropbox awhile ago anyway. Its good if you use it on your phone, but for home use I don't think its that great. Maybe I'll give Wuala a go.

 

[bogdan]

I was reasonable with Dropbox.

strike one: A privacy policy reassuring users that no one can access their data, when on fact Dropbox handles your encryption keys and they can de-crypt your files if they need to (or a disgruntled employee wants it.. who knows?)
strike two: Authentication based on a file saved on your computer. The file could be stolen and the attacker could log-in into your account since there was nothing to tie up that file with your pc.
I think this is strike three.

 

[new user]

You should really consider Wuala. It literally is impossible for anyone but you to access your Data without your password. (That or they have immense computing power to use to decrypt it. If you won't forget your password your OK. Wuala also has many nifty features. You see to boost speeds up, when you upload your data, it is first encrypted on your Local PC, then it is broken up in to useless chunks. Your data is not only kept on Wuala servers, but a cloud cache. People can trade Hard Disk space on their PC for Space on Wuala. That ratio is not 1:1 and depends on your bandwidth, You need to be on the internet for at least 4 hours per day but it seems worth it. Don't worry about your data being stored in the cache, it is not only encrypted but is stored as broken down fragments. Also I'm not sure if this is POlicy, but only paid users got some extra features like sync but if you traded in space, you would get all these features. I heard somewhere now everyone has the same amount of features but am not 100% sure.

For more info about Wuala's security features:
http://www.wuala.com/en/learn/technology

Wuala Coupons Codes (Some only work when creating new account, other work all the time): http://www.retailmenot.com/view/wuala.com

 

[TKFlight]

Tried out Wuala, and its really good. I'm gonna use it from now on I used one of the promo codes, the one that gives 2 free gb to new accounts. That should be good enough for me, I'll just be putting pictures and documents in there. Mostly funny random pictures that I find on 4chan or browsing the Internet. Thanks for recommending it new, and thanks for the promo codes.

 

[new user]

Tried out Wuala, and its really good. I'm gonna use it from now on I used one of the promo codes, the one that gives 2 free gb to new accounts. That should be good enough for me, I'll just be putting pictures and documents in there. Mostly funny random pictures that I find on 4chan or browsing the Internet. Thanks for recommending it new, and thanks for the promo codes.

On the smae site theres plenty of promo codes, not just for wuala.
My fav: http://www.retailmenot.com/view/newegg.com

 

[jamescv7]

Hopefully next time Dropbox Team must take precautionary measures.