Web-based file hosting service Dropbox has confirmed that a bug introduced by a code push allowed anyone to access any user account by simply typing in a random password for a period of nearly four hours.
The bug was detected accidentally by an anonymous user who sent the following information to security researcher Christopher Soghoian:
If you’re still involved in the Dropbox investigation, there was an interesting development this afternoon. I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends’) using any password.
This is corroborated by the admittedly-thin dropbox tech support thread below.
After receiving permission from the sender, Soghoian published the whole email exchange on Pastebin on Sunday morning.
Once the problem was shared with the Dropbox technical support team, it was fixed in a matter of minutes, but that doesn’t change the fact that is shouldn’t have happened in the first place.
“A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions,” Dropbox’ Arash Ferdowsi wrote. “We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.”
A recent update says that they have emailed activity-related details to the owners of the accounts that logged on during the period in question, but there is no news on whether the bug was exploited by unauthorized third parties.
This is definitely not a good year for Dropbox. According to Wired, Soghoian has recently filed an FTC complaint against the company, claiming that the service misleads its users by saying that no one at the company had access to the encryption keys needed to open the encrypted files uploaded by the users, when in fact some employees do have access to them and can do it.
With this latest glitch, the company could find itself losing their most precious commodity: the trust of its users.