Dropbox update nullifies passwords

Powered by SC Magazine
 

Company claims 1 percent of users logged in during bungle.

Private details of some of Dropbox's 25 million users were exposed overnight after a bungled code update nullified account password security.

The glitch allowed accounts on the free cloud storage system - ostensibly protected by "military" security systems - to be accessed with any password.

Accounts were exposed for up to four hours, although the glitch was fixed in less than five minutes after it was reported by several users including security researcher Christopher Soghoian.

Dropbox co-founder Arash Ferdowsi said less than 1 percent of users - about 250,000 - had accessed accounts while the passwords were exposed.

"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism," Ferdowsi wrote in a blog post today.

"A very small number of users logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."

Ferdowsi said the company is conducting an investigation and will notify affected users.

"This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again."

Soghoian, who previously attacked Dropbox's claims that it uses military-strength security, was alerted to the breach through an email from an unnamed user.

The breach comes on the heels of the publication of a forensic tool developed to help investigators crack Dropbox accounts.

Copyright © SC Magazine, Australia


Dropbox update nullifies passwords
Johnny Magnusson, public domain
 
 
 
Top Stories
Don’t mention digital disruption to David Whiteing
Buzzwords don’t curry favour with CBA's new CIO - it’s all just innovation to him.
 
Content, cost & constant innovation: How Foxtel plans to take on Netflix
Nell Payne inhabits the “brave new world of blue strings and networking”. Just don't ask her to put a TV screen on your microwave.
 
Westpac fires starting pistol on core banking upgrade
St George readies itself for move to Celeriti.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  43%
 
No
  57%
TOTAL VOTES: 614

Vote