Security researcher Christopher Soghoian discovered yesterday that it was possible to log into a Dropbox account using any password. Random letters, single letters, anything. He quickly contacted Dropbox, and got an e-mail from the company’s CTO Arash Ferdowsi, claiming that it was a “very brief glitch.”
The company later posted an article on their blog describing what happened.
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.
This is a reminder that the cloud cannot every be perfectly secure, and that users should be careful what types of files they store with Dropbox or with other, similar services.