Dropbox: Authentication Bug Left Cloud Storage Accounts Wide Open

Dropbox confirmed that an authentication bug opened a gaping security hole in its cloud storage service which let any password be used to log into any of its 25 million users' accounts.

The company said the four-hour glitch, during which any Dropbox cloud storage account could be accessed without the proper credentials, "should never have happened."

Late Monday, Dropbox users reported being able to log into their Dropbox accounts using any password. Users quickly took to Twitter and Dropbox's user forums, starting a discussion thread called "Drop box web interface was WIDE OPEN for some time yesterday." The first post shared a tale of logging into various Dropbox accounts without the correct password.

"Yesterday afternoon (around 2 or 3 pm central time), while using the web interface to access my dad's Dropbox account (with his permission), I discovered that I was able to log into his account using an incorrect password (he had mis-remembered it). When I discovered this, I tried my own account using 10 or so completely random strings -- each one let me into my account. I also used a friend's e-mail which I know has a Dropbox account, and was able to get into his account using multiple random passwords," a Dropbox user named Stephen C. posted. "I did NOT do anything malicious though -- it was just to verify that the behavior was global. Somehow some maintenance you were doing to the website or something disabled http authentication!!!!!! This is a big deal. The hole seemed to be closed again a few hours later (around 8 pm central time.)"

According to a blog post by Dropbox CTO and co-founder Arash Ferdowsi highlighting the authentication bug, the company updated code at 4:54 p.m. Eastern and that update introduced a bug that affected Dropbox's authentication mechanism. Dropbox discovered the issue at 8:41 p.m. and a fix was live at 8:46 p.m.

"A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions," Ferdowsi wrote.

Ferdowsi said Dropbox will continue its investigation to determine whether any accounts were improperly accessed and will notify account holders of any instances of unusual activity. Dropbox also asked concerned users to contact the company with questions.

"This should never have happened," Ferdowsi wrote. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

NEXT: Users React To Dropbox Authentication Bug

In an update at 1:46 a.m., Dropbox said it would notify affected users within the next few hours as the company works "around the clock" to gather data and review log-ins to Dropbox cloud storage accounts.

"We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates," Ferdowsi wrote.

By 5:49 a.m. Tuesday, Dropbox said had contacted all accounts that had logged in during the four-hour stretch when password protection and authentication were down. Ferdowsi said those users were e-mailed with additional activity-related details for review.

The apology, however, didn't do much to calm angered customers, who posted their concerns and frustrations at the end of Ferdowsi's blog post. Dropbox boasts 25 million users in 175 countries and claims that more than 200 million files are saved on Dropbox daily.

One user wrote: "This is completely unacceptable and warrants hourly updates until you know exactly what happened. When security is critical to your offering, you should be running unit tests on every deployment and additional security tests. This clearly indicates the need for re-engineering Dropbox security."

That same user said Dropbox's lack of transparency and communication around the issue was not up to snuff and that users should have been notified of the authentication bug sooner. "This fire is about to get kindled unless you put it out with full and complete transparency," that user wrote.

Meanwhile, other users expressed concern over the potential for their data to be compromised.

"I stored my tax returns on my DropBox account. Am I an idiot for having trusted Dropbox's promises of security?" one user asked.

Dropbox's authentication bug brings the thorny issue of cloud security back to the forefront. As cloud computing continues to take hold, many businesses and users are concerned about turning their data over to a third-party and worry that it could be accessed by others. The Dropbox authentication bug, coupled with a recent spate of high-profile cloud outages, has called into question the reliability of cloud services. Despite questions and concerns surrounding the cloud, IDC research predicted this week that the public cloud market will top $72 billion by 2015.