Security scares are the last thing Dropbox needs. Soghoian didn’t discover the password issue himself - it was relayed to him and he anonymized the email exchange. The issue was posted to Pastebin by Christopher Soghoian, who has previously criticized Dropbox for the company’s misleading description of its security practices (Dropbox used to claim that employees at the company had no way of viewing user files, but in reality a small number of them do have administrative privileges). We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again. If you’re concerned about any activity that has occurred in your account, you can contact us should never have happened. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. As a precaution, we ended all logged in sessions.
A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. We discovered this at 5:41pm and a fix was live at 5:46pm. Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. Update: Here’s the company’s blog post, which just went live: The team is now investigating if any accounts were improperly accessed, and says that anyone who was impacted will be notified. The company will be announcing that “much less than 1 percent” of users logged in during this time, and that all sessions have now been logged out as a security precaution.
The question now is how many people were affected.
So, in total, the bug was live for around four hours. We’ve now confirmed with Dropbox that the service did have this issue yesterday - Dropbox says that it began after a code push at 1:54 PM PDT and was fixed at 5:46 PM PDT (they had the fix live five minutes after they discovered it). In other words, you could log into someone’s account simply by typing in their email address. Given that many people entrust Dropbox with important data (one of the service’s selling points is its security), that’s a really big deal. This morning a post on Pastebin outlined a serious security issue that was spotted at Dropbox: for a brief period of time, the service allowed users to log into accounts using any password.
0 kommentar(er)
