Dropbox, the cloud-based file-hosting service, left all 25 million of its users' accounts open to all comers on Sunday when it accidentally turned off its password security system.For almost four hours, users could access their accounts (or any other account) by typing anything at all into the password box.
According to a post on The Dropbox Blog, the company made a code update at 1.54pm Pacific time (5.54am BST) on Sunday which introduced a bug into their password authentification system. They said: "We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users... logged in during that period, some of whom could have logged into an account without the correct password."
Dropbox is one of the most popular file-hosting and sharing services available online, with more than 25 million users. It allows people to store their files online and synchronise them across devices, as well as sharing them over the internet - so that large files, like video and photographs, can be transmitted over the web without need for physical couriers or file transfer protocols.
Wired.com explains that the security failure was possible because Dropbox keeps the encryption and decryption details on their servers rather than on users' computers. This means that if people forget their encryption password, Dropbox can issue them a new one and their files are not lost forever. However, it means that bugs and errors at Dropbox's end can create security problems for all users. Last month, a security researcher, Christopher Soghoian, filed a complaint saying that Dropbox had deceived users about how effective its security was.
The blog post says that fewer than one in a hundred accounts were affected, and that when the bug was discovered it immediately ended all users' sessions, to prevent anyone who had logged in illicitly from continuing to access other accounts. Dropbox says that they will launch a "thorough investigation" into the security lapse, adding: "This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."
They say that they are reviewing their logs to find any potential unauthorised activity, and all users who logged in during that time will be contacted. They say that users who have any concerns should contact them at support@dropbox.com.
0 comments:
Post a Comment