Dropbox update nullifies passwords

Powered by SC Magazine
 

Company claims 1 percent of users logged in during bungle.

Private details of some of Dropbox's 25 million users were exposed overnight after a bungled code update nullified account password security.

The glitch allowed accounts on the free cloud storage system - ostensibly protected by "military" security systems - to be accessed with any password.

Accounts were exposed for up to four hours, although the glitch was fixed in less than five minutes after it was reported by several users including security researcher Christopher Soghoian.

Dropbox co-founder Arash Ferdowsi said less than 1 percent of users - about 250,000 - had accessed accounts while the passwords were exposed.

"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism," Ferdowsi wrote in a blog post today.

"A very small number of users logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."

Ferdowsi said the company is conducting an investigation and will notify affected users.

"This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again."

Soghoian, who previously attacked Dropbox's claims that it uses military-strength security, was alerted to the breach through an email from an unnamed user.

The breach comes on the heels of the publication of a forensic tool developed to help investigators crack Dropbox accounts.

Copyright © SC Magazine, Australia


Dropbox update nullifies passwords
Johnny Magnusson, public domain
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 330

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  56%
 
No
  44%
TOTAL VOTES: 137

Vote