Dropbox: Authentication Bug Left Cloud Storage Accounts Wide Open

By Andrew R Hickey
June 21, 2011 9:05 AM ET

Page 1 of 2

Dropbox confirmed that an authentication bug opened a gaping security hole in its cloud storage service which let any password be used to log into any of its 25 million users' accounts.

The company said the four-hour glitch, during which any Dropbox cloud storage account could be accessed without the proper credentials, "should never have happened."

Late Monday, Dropbox users reported being able to log into their Dropbox accounts using any password. Users quickly took to Twitter and Dropbox's user forums, starting a discussion thread called "Drop box web interface was WIDE OPEN for some time yesterday." The first post shared a tale of logging into various Dropbox accounts without the correct password.

"Yesterday afternoon (around 2 or 3 pm central time), while using the web interface to access my dad's Dropbox account (with his permission), I discovered that I was able to log into his account using an incorrect password (he had mis-remembered it). When I discovered this, I tried my own account using 10 or so completely random strings -- each one let me into my account. I also used a friend's e-mail which I know has a Dropbox account, and was able to get into his account using multiple random passwords," a Dropbox user named Stephen C. posted. "I did NOT do anything malicious though -- it was just to verify that the behavior was global. Somehow some maintenance you were doing to the website or something disabled http authentication!!!!!! This is a big deal. The hole seemed to be closed again a few hours later (around 8 pm central time.)"

According to a blog post by Dropbox CTO and co-founder Arash Ferdowsi highlighting the authentication bug, the company updated code at 4:54 p.m. Eastern and that update introduced a bug that affected Dropbox's authentication mechanism. Dropbox discovered the issue at 8:41 p.m. and a fix was live at 8:46 p.m.

"A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions," Ferdowsi wrote.

Ferdowsi said Dropbox will continue its investigation to determine whether any accounts were improperly accessed and will notify account holders of any instances of unusual activity. Dropbox also asked concerned users to contact the company with questions.

"This should never have happened," Ferdowsi wrote. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

NEXT: Users React To Dropbox Authentication Bug

1 | 2 | Next >>

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Cloud

Comments by Vanilla

Recent Articles

	10 Intriguing Product Updates From Google I/O 2013 CRN takes a look at some of the key ways Google intends to influence the way we do business and enjoy our free time. A number of product rollouts and updates were made at I/O 2013. Here are the most intriguing.
	8 Tips For Successful Cloud Migrations Successful cloud migrations don't merely focus on changes in technology; they are also focused on the comfort levels of both people who are familiar with the new technology as well as those who might be slightly apprehensive about the forthcoming changes.
	9 Key Concerns That Block Cloud Sales The benefits of the cloud are heavily touted by cloud providers and the various types of channel partners with which they work. But a number of stumbling blocks still remain. Channel partners outlined for CRN some of the objectives they hear most often.
	More Slide Shows