Dropbox: Authentication Bug Left Cloud Storage Accounts Wide Open


Dropbox confirmed that an authentication bug opened a gaping security hole in its cloud storage service which let any password be used to log into any of its 25 million users' accounts.

The company said the four-hour glitch, during which any Dropbox cloud storage account could be accessed without the proper credentials, "should never have happened."

Late Monday, Dropbox users reported being able to log into their Dropbox accounts using any password. Users quickly took to Twitter and Dropbox's user forums, starting a discussion thread called "Drop box web interface was WIDE OPEN for some time yesterday." The first post shared a tale of logging into various Dropbox accounts without the correct password.

"Yesterday afternoon (around 2 or 3 pm central time), while using the web interface to access my dad's Dropbox account (with his permission), I discovered that I was able to log into his account using an incorrect password (he had mis-remembered it). When I discovered this, I tried my own account using 10 or so completely random strings -- each one let me into my account. I also used a friend's e-mail which I know has a Dropbox account, and was able to get into his account using multiple random passwords," a Dropbox user named Stephen C. posted. "I did NOT do anything malicious though -- it was just to verify that the behavior was global. Somehow some maintenance you were doing to the website or something disabled http authentication!!!!!! This is a big deal. The hole seemed to be closed again a few hours later (around 8 pm central time.)"

According to a blog post by Dropbox CTO and co-founder Arash Ferdowsi highlighting the authentication bug, the company updated code at 4:54 p.m. Eastern and that update introduced a bug that affected Dropbox's authentication mechanism. Dropbox discovered the issue at 8:41 p.m. and a fix was live at 8:46 p.m.

"A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions," Ferdowsi wrote.

Ferdowsi said Dropbox will continue its investigation to determine whether any accounts were improperly accessed and will notify account holders of any instances of unusual activity. Dropbox also asked concerned users to contact the company with questions.

"This should never have happened," Ferdowsi wrote. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

NEXT: Users React To Dropbox Authentication Bug