Archives

Tuesday, June 21, 2011

Password fault leaves Dropbox accounts unprotected


An authorisation glitch in Dropbox's login system let anyone sign into customer accounts without a password.
The online syncing service is now sifting through its records to see which users may have been affected.
According to Dropbox, the fault was caused by a code update that introduced a bug affecting the authentication mechanism, which left the system open to abuse.
“During that period, a very small number of users (much less than 1%) logged in, some of whom could have logged into an account without the correct password,” said Arash Ferdowsi on the Dropbox blog. “As a precaution, we ended all logged in sessions.”
If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse
Dropbox said it was trawling log records to try and identify which accounts might have been accessed by third parties.
“We’re working to gather additional data and continue to review logs for potentially unauthorised activity,” said Ferdowsi.
“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.”
Security experts have warned that the embarrassing error could pose a problem to business users who use the service to sync and share documents.
"The safety of a web link allowing you to share a file 'through the cloud' depends very strongly on who's able to access that link," said Paul Ducklin of security firm Sophos on the company blog.
"If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse," he said. "Unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world."
The fault is the latest security problem faced by Dropbox, which has been criticised by a security researcher for not offering full encryption.

No comments:

Post a Comment