June 25, 2011 by Vincent
Dropbox Security Blunder Leaves All User Accounts Accessible Without Password
All Dropbox accounts were accessible with virtually any passwords, even incorrect ones, for four hours on Monday. The blunder was made when the company implemented a code update, and it took four hours before realizing the issue, eventually having it fixed in the next five minutes.
Less than one percent of users logged in during that period, according to a blog post by Arash Ferdowsi, Dropbox’s co-founder and CTO. These accounts will be flagged for investigation, and the account owner will be notified if there’s any unauthorized access:
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at firstname.lastname@example.org.
2011 hasn’t been a particularly good year for Dropbox. Some users got upset when the company updated its terms of service in April, reserving the right to decrypt and hand over private files of any users to the government when requested, in compliance to the United States law.
The company was also alleged to have misled its users in a help article, stating “Dropbox employees aren’t able to access user files” statement.” The statement was later revised to “Dropbox employees are prohibited from viewing the content of files you store..” in the same month.
Along with the latest security blunder, Dropbox effectively went from “only you can see your files” to “employees and the government may also see your files”, and for four hours, “anyone can see your files.”
The commendable part? Dropbox admits its fault on each of these occasions, clarifying and communicating with its users through the company blog.
Protip: Regardless of any promises made by online storage service providers, if a file is too important to be seen by anyone, encrypt it yourself using free tools like TrueCrypt.