Tuesday, June 21, 2011

Dropbox Dropped The Security Ball - Hacking Into Anyone's Account Was A Fingertip Away

For the span of roughly four hours any layman trying to access other people's accounts at Dropbox ould have felt the same thrill as a hacker. In a post on Pastebin, a user describes how he noticed that there was no password control at Dropbox:
So I went to dropbox to change my password & the password change page looked flakey - I can't describe this in much more detail than so say that I clicked ok and nothing really seemed to happen. Did it work? Not sure, let's try the old password. Oh, it still works, so let's change it again. That appeared to work (I got a password updated message) - let's try the new password. Yup, good. Wait, I'm pretty sure I fat-fingered an extra character though -- etc. Which led to me realizing that any password at all was fine, at which point I logged into the accounts of two friends using 1-character passwords like 'q' and 'z'.
In response, Arash Ferdowsi, CTO of Dropbox, posted on the corporate blog:
Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

As more and more of us entrust our data jewels to the cloud, lets hope that services like Dropbox go on the offensive with regards to security practices and don't drop the ball. Let's hope they adopt stronger authentication methods than static username/passwords like one-time passwords or better yet challenge-response based logins.

2 comments:

  1. For every business data security is very important. In this hosting, your data stored on safe & secure data server. Cloud hosting will provide secured hosting for your website, so your data & website is safe from unauthorized access or attacks.
    data room review

    ReplyDelete
  2. Interesting idea, but is it working?
    Cyber security now it's not only companies or holdings problems, but countries and cities.
    security-online

    ReplyDelete