Wednesday, 22 June 2011

Dropbox Drops Passwords For Four Hours.

Online storage service Dropbox recently confirmed that an error made it possible for users
to access accounts without the correct password.
All a user needed to know was the email address
tied to the account he or she wanted to access, as
any password – including a blank one – would
allow access. The security flaw was introduced at 1:54 PM pacific daylight time and was live for
nearly four hours before being patched at 5:46
PM. According to Dropbox, the problem was
introduced into the authentication system during
a code update. The company stated that only 1% of its accounts
were accessed during the security vulnerability’s
window and that an investigation into the
circumstances surrounding the error is now
underway. Although the 1% figure doesn’t
sound serious, Dropbox has about 25 million users, so this means that about 250,000 accounts
were accessed while the issue was live.

Flaws of this nature are a serious problem for
Dropbox, as the service is used by many
organizations to share
information related to on going projects. The
service has come under fire in recent months for
a number of security related issues, including misleading statements about file encryption that eventually resulted in a formal complaint by the FTC. There are a couple of things you can check to
make sure that your Dropbox account was not
compromised during those critical 4 hours. First of all, check dropbox log page which goes into detail about all the recent activity in your
Dropbox account. It will show you if someone
has removed or added any files to your account
without your knowledge and permission, as well
as if any of your files were shared with anyone. This page shows all the computers and mobile devices which are currently linked to your
account. See a computer or device you don’t
recognize? Or has one of your computers or
mobile devices been removed? Then someone
has probably accessed your account. Boot them
off and change your password immediately.

Source: CNET

No comments:

Post a Comment