Tuesday, June 21, 2011 [Tweets] [Favorites]

Dropbox Authentication Bug

Arash Ferdowsi:

A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.

It sounds like there was a four-hour window in which anyone could access your account. I’m not exactly sure what “very small” means here. Doesn’t Dropbox have more than 25 million users?

I still think Dropbox could be more transparent. In the past, they posted important stuff only in the private forum. This was posted on the public blog, but people who would want to know about this don’t necessarily follow that. Customers should have been notified via e-mail.

More generally, I think every Web service should have a test suite to make sure that login authentication works, and users should be able to see a log of the IPs that have accessed their account.

6 Comments

Matthew Brown

I'm guessing the number was very small because it's rare for users to re-authenticate with Dropbox; most of the time you're using the client on your computer or phone that was authenticated long ago.

They need to find out every account that authenticated during that period and contact them.

"It sounds like there was a four-hour window in which anyone could access your account."

I've been feeling good about my decision to not participate in Dropbox these days. Perhaps they could riff off of Phil Zimmerman's PGP acronym and start advertising "Pretty Lousy Privacy" as a Dropbox feature.

"More generally, I think every Web service should have a test suite to make sure that login authentication works, and users should be able to see a log of the IPs that have accessed their account."

My thoughts here:

Web services should be either secure or not, and claim themselves as such. It's a binary decision. If I use a Remember the Milk-esque web service, I'm OK with it being an insecure service in exchange for easier convenience. I don't care if the world gets a glimpse of my shopping list, though I'd obviously like a tiny padlock on the door.

But if I'm using a Dropbox-esque web service, I want an actually secure web service, with a pretty good level of privacy.

That includes your wise suggestion for being to see a log of IP's that have accessed my account, but why stop there?

Encrypted transport, and encrypted cloud storage should be bare minimums for a "secure" web service. And the company having copies of your encryption keys, ala Dropbox, means a service is "non-secure".

So enjoy Dropbox until someone else comes along, but only the foolish treat Dropbox as a "secure" web service. You shouldn't have anything on there you want exclusive control over. It's PLP.

"They need to find out every account that authenticated during that period and contact them."

From my parsing of the update to their blog post, they're saying they did that 12 hours ago.

If they're as good as their word, they handled the clean-up correctly and promptly.

Jacob Wegner

I did get an email from Dropbox this morning.

Good article – here is another cloud storage solution that is fully encrypted:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.

Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!

https://www.sugarsync.com/referral?rf=tbtp0asbw9pt

Hope it helps someone.

@Matthew Probably, but then why did they write (essentially) “much less than 250,000”?

@Chucky I kind of agree with Dropbox that the ease-of-use and Web features are worth letting them have the encryption key. But they were misleading about how secure the service is in theory, and in practice I have even less confidence in their procedures. I wish there were another option, but for files that don’t need to be that secure, Dropbox is very convenient. And I presume that, frustrating though Dropbox is, Apple will be less transparent about iCloud.

@Jacob So you are one of the people whose account was improperly accessed? I think this serious of an issue warrants an e-mail on the same day, not two days later.

@w0qj I found SugarSync to be much less smooth than Dropbox, and (last I checked) it had very poor handling of Mac metadata and completely deleted files with certain characters in the name. These limitations were not disclosed in the documentation.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment