Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking
    • Storage

    Dropbox Accidentally Turned Off Passwords on File Storage Service

    By
    Fahmida Y. Rashid
    -
    June 21, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Online storage service Dropbox accidentally turned off passwords for four hours, potentially exposing data belonging to its 25 million customers to unauthorized users.

      The breach occurred when the company applied a code change at 4:54 p.m. EST on June 19 that caused problems with the authentication mechanism, Arash Ferdowsi, Dropbox CTO and founder, wrote in the company blog June 20. The problem was discovered about four hours later and Dropbox killed all of the sessions of those who were logged in and accessing the data.

      The password issue allowed anyone in the world to access any of the 25 million accounts and the information stored inside by typing in any string as the password. The bug was possible because Dropbox handles encryption and decryption on its servers instead of the individual user computers. Since it holds the encryption key, it controls who can open the files, not the user.

      “This should never have happened. We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening again,” Ferdowsi wrote in his blog.

      The issue was fixed at 8:46 p.m. EST, five minutes after it learned of the issue, according to Ferdowsi. The company also notified all those who had logged in during that four-hour window and asked them to review their account activity details. Concerned users can also directly contact Dropbox either through [email protected] or [email protected], the company said.

      “This kind of event underscores what a lot of people have been saying for a while-no cloud provider is immune from making the same basic administration mistakes that all other organizations make,” Geoff Webb, senior product manager at Credant Technologies, told eWEEK. The difference for cloud providers is that when a problem occurs, it affects a bigger user base. Much of the data is “probably not sensitive at all,” but considering many enterprises rely on the service to store business information, having accounts unprotected for several hours increases the potential of a damaging data breach, Webb said.

      Much less than one percent of the accounts were accessed during that four-hour period, according to Ferdowsi. It is still investigating whether any unauthorized users improperly viewed those accounts.

      “We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed,” Ferdowsi wrote.

      Dropbox Criticized for Encryption Key Control Policy

      The problem was identified by a user, who reported it on Dropbox forums and contacted independent security researcher Christopher Soghoian, a doctoral student at the University of Indiana. He posted the tip onto text-sharing site Pastebin.

      “I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends’) using any password,” the unknown user wrote Soghoian.

      Soghoian has long been a vocal critic of Dropbox. In May, he wrote a letter of complaint to the Federal Trade Commission, alleging the company deceived its users by overstating how secure its file service really was. Dropbox used to claim that employees at the company had no way of viewing user files when a few of them had administrative privileges. Dropbox recently updated its terms of service to reflect that fact and that it would decrypt users’ files and give the government access to them if asked.

      Individuals and businesses need to be responsible for the security of their files, wherever they are stored, according to Webb. “No controls put in place by a third party can be relied on 100 percent,” Webb said.

      Dropbox allows users to store files, regardless of file type, on remote servers that are accessible from anywhere in the world. The company claimed to store more than 200 million pieces of data in April.

      Letting Dropbox control the encryption key makes the service easy to use and allows users to recover their files even if they forget their password. If the user controlled the encryption key, the data would be lost forever if they ever lost the password, according to Dropbox. The encryption key will also have to be entered on every single device the user wants to use to sync to the service.

      Soghoian argued the company’s encryption model introduced too many vulnerabilities and customers should retain full control over encryption.

      “The reality is that most end users are not equipped to implement proper key management,” Mushegh Hakhinian, a security architect at IntraLinks, said. Delegating key management to an end user doesn’t really make sense, he said, noting that providers can store the information in a “very secure” data center.

      “Dropbox isn’t the problem here. It’s the unreasonable expectation that simply moving files into the cloud will somehow keep them safe-no matter who operates the service. It won’t,” Webb said.

      Avatar
      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×