Another Dropbox security glitch: No password required

Looks like its bad days for Dropbox itself and its users too. A recent update on Dropbox introduced a bug into Dropbox Authentication system which basically allowed any password to enter into any account. This simply meant that during that security glitch or breach, anyone who knew your username can enter into your dropbox account by using any random password.

Another Dropbox security glitch: No password required 1

Here is what Dropbox blog talks about this security bug.

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

The problem here is even though this should never have been allowed to happen, Dropbox users never received a email or even a tweet about this Authentication system bug. They must have been informed at the moment this got detected. I still remember the Lastpass issue when they asked users to change their passwords instantly when they felt something may have happened not even if it actually happened.

Dropbox claims to  “use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure “, but looks like everything is not well. The users are venting their anger on Dropbox on the blog post.

A user Tony commented.

This is completely unacceptable and warrants hourly updates until you know exactly what happened.  When security is critical to your offering, you should be running unit tests on every deployment and additional security tests.  This clearly indicates the need for re-engineering Dropbox security.

As to moving forward, every single Dropbox customer should be getting an e-mail right now about this — not hearing about it from other sources or from a seemingly calm-toned blog post.  Dropbox hasn’t even tweeted about this a full 24 hours after it happened.

Another user mindctrl

I’m done with Dropbox. Lies. Poor management. Bad programming. Poor deployment decisions (one example: forcing Growl onto Mac users without disclosure). Purposeful withholding of obvious features, like sync folders or download whole folders on mobile. Sad, really. It had so much potential

For the timebeing, the Autthentication bug has been fixed but no one knows what happened in those 4-5 hours when no one noticed it.

So, are you a Dropbox user? What you think about it? Share your feedback with us.


4 comments… add one
  • Chris Link Reply

    Unfortunately i am and i am moving to sugasync a better and with more free space online storage..
    BYE DROPBOX

    • Unfortunately, thats the case when we trust too much any cloud service. This must not have happened at all and Dropbox must have tested everything before rolling out the update.

  • Grr Link Reply

    Thanks for the update Avi.
    It is High time for Dropbox to hire me as a Tester…r they listening?…

    btw it’s not a big deal as Dropbox is a cloud service. We have seen Gmail outage, AVG/Avast BSOD causing updates and many others. Till now I have njoyed using Dropbox & would continue to do so..

    Grr

  • drwoo Link Reply

    I don’t store any private data on cloud services (except my email account) so I’m not afraid about this kind of leakage.

Leave a Comment