Dropbox security bug temporarily allowed logins without authentication

Earlier today, a code update to Dropbox introduced a bug that temporarily allowed access to users' accounts and files without authentication via the company's web interface. For approximately four hours, from the time that Dropbox made the changes until the service's developers were able to correct the error, user accounts were accessible by merely typing in the email address associated with the account.

"This should never have happened," Dropbox says on its blog. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

TechCrunch notes that many Dropbox users store sensitive files using the service, and it's a sobering thought that such files were theoretically freely accessible by anyone for any period of time. Dropbox claims that less than one percent of users logged into the service while authentication was inadvertently optional, and it logged out all user sessions as a precaution.

This is not the first time concerns have been raised over possible security issues with Dropbox, but the fact that user accounts and files were accessible without authentication may mean that users looking for a secure online file storage system may want to look elsewhere when iCloud debuts this fall.

View Tags

Source: http://blog.dropbox.com/?p=821

Categories

Security Mac

For approximately four hours, Dropbox user accounts were accessible by merely typing in the email address associated with the account.

Add a Comment

Sign in »

7 Comments

Filter by:

w0qjw0qj

Good review – here are a few recent changes as of June 2011:
You get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.

Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!

https://www.sugarsync.com/referral?rf=tbtp0asbw9pt

Hope this helps someone!

June 29 2011 at 2:57 PM Report abuse Permalink rate up rate down Reply

Justin

Wow, when did the TUAW comments section get so spammy? It seems that a large majority of the comments I can see on this are people either trying to advertise fore a competing product, or increase their dropbox space (or increase their space on a competing product). The comments section is for discussion of the article people, not your personal gain.

June 21 2011 at 11:56 AM Report abuse Permalink +3 rate up rate down Reply

Wayne Luke

Glad I cancelled my Dropbox account last month. Just had a feeling that I was better off with out it. Of course MobileMe could also have problems so not completely secure. I keep my most sensitive files off the cloud though.

June 21 2011 at 9:54 AM Report abuse Permalink rate up rate down Reply

AdamJRed

And in other news SpiderOak has a record number of new accounts from people upset not just over the 4 hour window of 'free-logins' but who also didn't know/realize/understand that Dropbox can access (and give others access to) your data...

June 21 2011 at 12:42 AM Report abuse Permalink rate up rate down Reply