Security & Privacy + Software & Apps

Dropbox Password Failure Puts Users’ Files at Risk for Four Hours

Posted on June 21st, 2011 by

Security researcher Christopher Soghoian discovered yesterday that it was possible to log into a Dropbox account using any password. Random letters, single letters, anything. He quickly contacted Dropbox, and got an e-mail from the company’s CTO Arash Ferdowsi, claiming that it was a “very brief glitch.”

The company later posted an article on their blog describing what happened.

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.

This is a reminder that the cloud cannot every be perfectly secure, and that users should be careful what types of files they store with Dropbox or with other, similar services.