Dropbox update nullifies passwords

Powered by SC Magazine
 

Company claims 1 percent of users logged in during bungle.

Private details of some of Dropbox's 25 million users were exposed overnight after a bungled code update nullified account password security.

The glitch allowed accounts on the free cloud storage system - ostensibly protected by "military" security systems - to be accessed with any password.

Accounts were exposed for up to four hours, although the glitch was fixed in less than five minutes after it was reported by several users including security researcher Christopher Soghoian.

Dropbox co-founder Arash Ferdowsi said less than 1 percent of users - about 250,000 - had accessed accounts while the passwords were exposed.

"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism," Ferdowsi wrote in a blog post today.

"A very small number of users logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."

Ferdowsi said the company is conducting an investigation and will notify affected users.

"This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again."

Soghoian, who previously attacked Dropbox's claims that it uses military-strength security, was alerted to the breach through an email from an unnamed user.

The breach comes on the heels of the publication of a forensic tool developed to help investigators crack Dropbox accounts.

Copyright © SC Magazine, Australia


Dropbox update nullifies passwords
Johnny Magnusson, public domain
 
 
 
Top Stories
Abbott brings back Science minister in cabinet reshuffle
Science tacked onto to Industry title.
 
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1900

Vote
Do you support the abolition of the Office of the Information Commissioner?