Bug exposed Dropbox accounts to other users for about four hours Sunday
The accounts of people using Dropbox, a cloud computing service, were accessible to other users during a nearly four-hour period Sunday.
The breach was caused by a software update that affected the authentication mechanism of the service, the company said. Dropbox allows users to store personal documents, videos, photos and other files on remote servers that are accessible from anywhere in the world.
Dropbox, which announced in April that it had more than 25 million users, said in a blog post Monday that only 1% of its users logged in while the window was open. The company said it was “conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed.”
“This should never have happened,” company founder Arash Ferdowsi said in the post. “We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening again.”
The bug exposed Dropbox user accounts beginning about 1:54 p.m. Pacific time and was discovered by the company at 5:41 p.m. The problem was fixed within five minutes, Dropbox said.
Dropbox, which has boasted that it can safely keep people’s files online, has to take care of its security, said Tin Zaw, the Los Angeles chapter president of the Open Web Application Security Project, a nonprofit organization focused on raising security awareness among Internet users and developers.
“Small companies are often under intense pressure to grow, and they sometimes forget about security,” he said. “Security is very important in cloud computing, and Dropbox should’ve done a better job.”
Dropbox recently also came under scrutiny when it updated its terms of service, informing users that it would decrypt users’ files and give the government access to them if asked. Zaw said that was comparable to storing something in a bank safe-deposit box, but letting the bank keep both the box and the key to access it.
“If you want to keep something secret, you put it in the box and lock it, but you keep the key yourself,” he said.
