{"id":3524,"date":"2011-06-21T09:07:34","date_gmt":"2011-06-21T14:07:34","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=3524"},"modified":"2011-06-21T09:19:06","modified_gmt":"2011-06-21T14:19:06","slug":"dropbox-authentication-bug","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2011\/06\/21\/dropbox-authentication-bug\/","title":{"rendered":"Dropbox Authentication Bug"},"content":{"rendered":"<p><a href=\"http:\/\/blog.dropbox.com\/?p=821\">Arash Ferdowsi<\/a>:<\/p>\n<blockquote cite=\"http:\/\/blog.dropbox.com\/?p=821\"><p>A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.<\/p><\/blockquote>\n<p>It sounds like there was a four-hour window in which <a href=\"http:\/\/pastebin.com\/yBKwDY6T\">anyone could access your account<\/a>. I&rsquo;m not exactly sure what &ldquo;very small&rdquo; means here. Doesn&rsquo;t Dropbox have <a href=\"http:\/\/mjtsai.com\/blog\/2011\/05\/27\/the-economics-of-carbonite-and-dropbox\/\">more than 25 million<\/a> users?<\/p>\n<p>I still think Dropbox could be more transparent. In the past, they posted important stuff only in the <a href=\"http:\/\/mjtsai.com\/blog\/2008\/11\/26\/dropbox\/\">private forum<\/a>. This was posted on the public blog, but people who would want to know about this don&rsquo;t necessarily follow that. Customers should have been notified via e-mail.<\/p>\n<p>More generally, I think every Web service should have a test suite to make sure that login authentication works, and users should be able to see a log of the IPs that have accessed their account.<\/p>","protected":false},"excerpt":{"rendered":"<p>Arash Ferdowsi: A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. It sounds like there was a four-hour window in which anyone could access your account. I&rsquo;m not exactly sure what &ldquo;very small&rdquo; means here. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[],"class_list":["post-3524","post","type-post","status-publish","format-standard","hentry","category-technology"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/3524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=3524"}],"version-history":[{"count":7,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/3524\/revisions"}],"predecessor-version":[{"id":3531,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/3524\/revisions\/3531"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=3524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=3524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=3524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}