These days, hackers on a rampage looting information from insecure websites may leave many internet users jittery. To make matters worse, Dropbox did the unthinkable last Sunday — it allowed anyone in the world to access any one of its 25 million customers’ online storage lockers — simply by typing in any password.
Dropbox, one of the most popular ways to share and sync files online, says the accounts became unlocked at 1:54pm Pacific time on 19th June, Sunday, when a programming change introduced a bug. The company closed the hole a little less than 4 hours later.
The bug was reported on Dropbox forums and on Pastebin. Dropbox says fewer than 1% of accounts were opened during that time and it force-closed all of those sessions to cut off access to anyone who authenticated with false credentials during the window of the security breach.
The bug was made possible because of the security architecture choice that Dropbox utilizes, where encryption and decryption happen on Dropbox’s servers, rather than on individuals’ computers. This allows Dropbox to open files because it holds the encryption key instead of the user. That architecture adds to ease of use and lets people recover their files — even if they forget their password. In a system where a user unlocks their cloud files with their own encryption key, the data would be lost forever if a user forgets their encryption key, and a complicated encryption key has to be entered into every client device that wants to sync via the locker.
However, some worry that Dropbox’s model introduces too many security vulnerabilities and that Dropbox overstated how secure file storage was, leading to complaints filed against the company. Dropbox strongly disputed that it ever misled its users, saying that its security was an upgrade from how users typically stored information on their own computers.
In a blog post the following day, Dropbox issued an explanation for the security breach: “We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at security@dropbox.com. This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”
For those who are seeking a service similiar to Dropbox, but with more security, Wuala and SpiderOak encrypt data on users’ devices, not on a central server.
Enjoyed this article? "Like it on Facebook and drop us a comment!
