Online storage service Dropbox accidentally turned off passwords for four hours, potentially exposing data belonging to its 25 million customers to unauthorized users.
The breach occurred when the company applied a code change at 4:54 p.m. EST on June 19 that caused problems with the authentication mechanism, Arash Ferdowsi, Dropbox CTO and founder, wrote in the company blog June 20. The problem was discovered about four hours later and Dropbox killed all of the sessions of those who were logged in and accessing the data.
The password issue allowed anyone in the world to access any of the 25 million accounts and the information stored inside by typing in any string as the password. The bug was possible because Dropbox handles encryption and decryption on its servers instead of the individual user computers. Since it holds the encryption key, it controls who can open the files, not the user.
“This should never have happened. We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening again,” Ferdowsi wrote in his blog.
The issue was fixed at 8:46 p.m. EST, five minutes after it learned of the issue, according to Ferdowsi. The company also notified all those who had logged in during that four-hour window and asked them to review their account activity details. Concerned users can also directly contact Dropbox either through [email protected] or [email protected], the company said.
“This kind of event underscores what a lot of people have been saying for a while-no cloud provider is immune from making the same basic administration mistakes that all other organizations make,” Geoff Webb, senior product manager at Credant Technologies, told eWEEK. The difference for cloud providers is that when a problem occurs, it affects a bigger user base. Much of the data is “probably not sensitive at all,” but considering many enterprises rely on the service to store business information, having accounts unprotected for several hours increases the potential of a damaging data breach, Webb said.
Much less than one percent of the accounts were accessed during that four-hour period, according to Ferdowsi. It is still investigating whether any unauthorized users improperly viewed those accounts.
“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed,” Ferdowsi wrote.
Dropbox Criticized for Encryption Key Control Policy
The problem was identified by a user, who reported it on Dropbox forums and contacted independent security researcher Christopher Soghoian, a doctoral student at the University of Indiana. He posted the tip onto text-sharing site Pastebin.
“I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends’) using any password,” the unknown user wrote Soghoian.
Soghoian has long been a vocal critic of Dropbox. In May, he wrote a letter of complaint to the Federal Trade Commission, alleging the company deceived its users by overstating how secure its file service really was. Dropbox used to claim that employees at the company had no way of viewing user files when a few of them had administrative privileges. Dropbox recently updated its terms of service to reflect that fact and that it would decrypt users’ files and give the government access to them if asked.
Individuals and businesses need to be responsible for the security of their files, wherever they are stored, according to Webb. “No controls put in place by a third party can be relied on 100 percent,” Webb said.
Dropbox allows users to store files, regardless of file type, on remote servers that are accessible from anywhere in the world. The company claimed to store more than 200 million pieces of data in April.
Letting Dropbox control the encryption key makes the service easy to use and allows users to recover their files even if they forget their password. If the user controlled the encryption key, the data would be lost forever if they ever lost the password, according to Dropbox. The encryption key will also have to be entered on every single device the user wants to use to sync to the service.
Soghoian argued the company’s encryption model introduced too many vulnerabilities and customers should retain full control over encryption.
“The reality is that most end users are not equipped to implement proper key management,” Mushegh Hakhinian, a security architect at IntraLinks, said. Delegating key management to an end user doesn’t really make sense, he said, noting that providers can store the information in a “very secure” data center.
“Dropbox isn’t the problem here. It’s the unreasonable expectation that simply moving files into the cloud will somehow keep them safe-no matter who operates the service. It won’t,” Webb said.