Last Sunday had Dropbox for a few hours with a bug that users without a valid password could log in. It is within a few months the second security issue for Dropbox, that to itself the right to be safe profiles.
A Dropbox user discovered Sunday that it was possible to not have a valid password to log on Dropbox.com, making other users ‘ files could be viewed. It is not clear whether this is possible in all cases; Dropbox is somewhat cryptic. However, the company in a blog post that there is a problem with the authentication system, which some users without the correct password will have to be logged in.
The door to the Dropbox accounts was a few hours open Sunday evening Dutch time was a software update rolled out by the vulnerability introduced. Just four hours later, the problem was discovered, and then Dropbox the leak to say that within five minutes he closed. The company apologized for the security issue – “It should never be allowed to happen,” writes chief technical officer Arash Ferdowsi in the blog post – and examines whether there are abuses. Ferdowsi says that users who by the leak are affected, be informed.
During the time that the access without password was possible, it would be “less than 1 percent” of Dropbox users have logged in. It is still unclear how many of them that have done it without the right password to use.
It is not the first time that Dropbox with a security issue it faces. In april proved to be the Dropbox client software, a vulnerability, though it was less far-reaching. It turned out to be possible to have only the host_id of a user to access all of the files to obtain. That host_id is not accessible to the public; to the in the hands to get access to the computer of a user is necessary. It was, however, for malwaremakers may be of interest to silently log in to Dropbox accounts; access remained possible if the malware was discovered and removed. Dropbox kept at the time, that it is not a security issue, but promised an update to solve the problem. The update is, however, still not stable appeared.
A month later there was much commotion when it was discovered that employees of Dropbox had access to files of users. The company has always maintained that employees have no access, but when Dropbox, in its new terms of use wrote that the files of users to decrypt and to the government to hand over when that is required, it could be reasoned that at least some employees access to files of users had to have.
At the decryption and went to the other room to the built-in encryption of Dropbox itself, the company will not remove any encryptiemechanismen that users have made. Only a small part of the staff of Dropbox is also able to transfer files to decrypt and to see, claims the company.
This accumulation of vulnerabilities calls for a lot of users ask about the security of their files. Users are complaining on the Dropbox blog, massively, about the vulnerability, but also about the fact that there is no general e-mail to user is sent in which the security vulnerability is explained. The fact that the problem within five minutes, could be solved, moreover indicates that it is likely to be a simple leak was, while Dropbox itself, just as a secure storage service profiles. “We use the same security methods as banks and the army,” writes the company even on a support page.
Until now the start-up for the wind. The company had in January 2010, a total of 4 million users, of which an unknown part of a paid subscription. Probably, the company has now, however, many more users. Dropbox would now 1 to 2 billion dollars worth.