The Mac Security Blog

Recommended + Software & Apps

Login Security Fail: Three Vendors Store Passwords in Plain-Text

Posted on July 23rd, 2012 by

LinkedIn and Facebook have previously been hit with password security breaches, and now Dropbox has been having its own week of security woes. This seems to be prompting many of the company’s users to utter the following:

It seems like lately there’s all kinds of reports about apps and websites that are not taking password security seriously. There was the Week of Leaks not too long ago, where hackers hit several popular websites and posted password dumps for millions of users. To those of us in the security industry, password security seems like Security 101, but many companies are still not getting this right. It’s so simple: Do not store or transmit passwords in plain text. Ever. Seriously.

The latest apps to be hit with this are LinkedIn, Facebook and Dropbox on iOS devices. If I were inclined towards betting, I would put my money on these not being the only three major vendors to be named. Your password can be copied either if someone gets physical access to your device or if you plug it into a public computer. This works on any iOS device, not just jailbroken ones. To minimize this threat, use the password lock option and do not plug your iDevice into any public computer. Both Facebook and Dropbox will have updates for this shortly, so keep an eye out for that.

  • Jensen_G

    ok, the headline is a bit sensationalistic for a security flaw that requires physical access to device. Until I got to the last paragraph, this made it sounds like anyone who has a Dropbox account is at risk, which isn’t true. You have to use the Dropbox iPhone app AND have someone malicious get physical access to your device (or plug your iPhone into a public computer…who does that?). Just trying to calm my beating heart after initially thinking my secure dropbox password had been compromised and then realizing the above.

    • LysaMyers

      Sorry for scaring you! There’s still a risk—we just wanted people to be aware.

  • http://twitter.com/vrcqbpro Victoria Cameron

    Isn’t this the same security flaw DropBox had back in April that they issued an App update for two days after it hit the news?  I’m confused how it can still be an issue.

  • LysaMyers

    This password is used solely during product registration. It can’t be used to gather or retrieve any information about an individual user or their account (such as a serial number). We acknowledge this is still a risky proposition as some users may use passwords that they use for other accounts. We are currently redesigning a solution for NetUpdate that will not actually require a separate password for the functionality this account is used to access.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}