Security - Channel Insider

Empowering the next generation Channel

Home

Security

Dropbox Password Protection Function Disabled By Bug

[ci] deep dives:

Managed Services Distribution Careers Linux and Unix Computer Networking Printers Security SMB Partner Storage Surveys Solution Builder Messaging/Collaboration Dell Reseller Microsoft Partner

Dropbox Password Protection Function Disabled By Bug

in Security

DATE: 2011-06-22 | By Channel Insider Staff

Article Rating:

/ 0
Article Views: 4622

More Security Coverage

<<Previous Security News Next Security News >>

A bug in the code let anyone access any Dropbox online storage account by typing in a random string as a password over a four-hour period.

Rate This Article:

Add This Article To:

Digg this

Del.icio.us

Slashdot

Y! My Web

E-mail

Furl

Google

Simpy

Spurl!

PDF Version

Online storage service Dropbox accidentally turned off passwords for four hours, potentially exposing data belonging to its 25 million customers to unauthorized users.

The breach occurred when the company applied a code change at 4:54 p.m. EST on June 19 that caused problems with the authentication mechanism, Arash Ferdowsi, Dropbox CTO and founder, wrote in the company blog June 20. The problem was discovered about four hours later and Dropbox killed all of the sessions of those who were logged in and accessing the data.

The password issue allowed anyone in the world to access any of the 25 million accounts and the information stored inside by typing in any string as the password. The bug was possible because Dropbox handles encryption and decryption on its servers instead of the individual user computers. Since it holds the encryption key, it controls who can open the files, not the user.

"This should never have happened. We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening again," Ferdowsi wrote in his blog.

The issue was fixed at 8:46 p.m. EST, five minutes after it learned of the issue, according to Ferdowsi. The company also notified all those who had logged in during that four-hour window and asked them to review their account activity details. Concerned users can also directly contact Dropbox either through support@dropbox.com or security@dropbox.com, the company said.

"This kind of event underscores what a lot of people have been saying for a while no cloud provider is immune from making the same basic administration mistakes that all other organizations make," Geoff Webb, senior product manager at Credant Technologies, told eWEEK. The difference for cloud providers is that when a problem occurs, it affects a bigger user base. Much of the data is "probably not sensitive at all," but considering many enterprises rely on the service to store business information, having accounts unprotected for several hours increases the potential of a damaging data breach, Webb said.

To read the original eWeek article, click here: Dropbox Accidentally Turned Off Passwords on File Storage Service

comments dic



	>>> More Security Articles >>> More By Channel Insider Staff

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

Follow @ChannelInsider
< Prev | Next >

about 5 hours agoAssessing the Impact of HP Layoffs - HP needs channel partners to help put some distance between it all the drama ... http://t.co/2H0Gq8HJ
about 6 hours agoThin Client Opportunity Gets Richer for the Channel - IT organizations are rethinking client strategy in the age of ... http://t.co/JxUbh24m
May 23rd 4:38 PMPutting a Channel Face on the Cloud - Amazon, Google and others may leverage the channel to compete more aggressivel... http://t.co/RUeo9iT5
May 22nd 10:41 PMExpanding the Reach and Scope of Desktop Virtualization - VMware moves to acquire Wanova - VMware has set out to ... http://t.co/Ad020fhT
May 22nd 8:58 PMConsidering the IBM Watson Possibilities - IBM looks to the channel to help find new use cases for cognitive computi... http://t.co/CAljVbac
May 22nd 8:54 AMVariations on a Cloud Storage Theme in the Channel - EMC expands focus on the cloud via a channel that is wrestling ... http://t.co/MORSpkkb
May 21st 10:43 AMRightsizing the Cloud Service Provider - Cloudbursting will alter the way the channel thinks about cloud computing i... http://t.co/eZ33qdKE
May 17th 6:39 PMThe Future of IT Services - Automated managed services are transforming the way IT services are delivered - Histo... http://t.co/w4zvAS8u
May 17th 12:39 PMRising to the Cloud Application Management Challenge - BetterCloud previews management tool for Google Apps environm... http://t.co/KzhO7FlP
May 16th 11:00 AMPlaying the IT Services Name Game - HP expands ability of partners to deliver branded services as part of effort to ... http://t.co/XU3QOnKz

[ci] feeds

Add Channel News, Product Reviews, Trends and Analysis to your RSS newsreader or My Yahoo!

CHANNEL SPONSORED RESOURCE CENTER

Start the New Year with business intelligence—it’s a smart move
Join us on February 1 for an encore rebroadcast at either 5 am or 12 noon EST and discover how business intelligence (BI) supports companies in uncertain business and economic climates. Get expert advice on how to create a strategy that fits your organization's needs and budget and see how quickly it can pay for itself.
Click Here

Security and Availability Essentials for Running Your Business in the Cloud
Are you moving to the cloud? Find out what every IT professional should know about security and availability before moving to the cloud. Hear what a security provider’s own CSO has to say.
Watch Video

New Tool Analyzes Data Without Bias

A new algorithm automatically identifies relationships between variables to help reduce researcher prejudice.
Click Here

Channel Insider:

Security:
Network Security
Enterprise Networking
Infrastructure Security
How To: Data
IT Security News
Security Watch Blog
Secure Channel Blog

Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog

Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
Computer Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog

Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews

Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel and VARs
Careers Blog
Value Added Resellers

More eWeek Links:
Green Computing Center
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
Complementary Magazine Subscriptions

Enterprise Websites:
ZDE Home
eWeek
Baseline Magazine
Channel Insider
CIO Insight
eSeminars and Events
Publish Online
Web Buyers Guide

Developer Websites:
Microsoft DevSource
Dev Shed
DeveloperShed
ASP Free
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware

Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
PDF Zone
Linux Watch
TechDirect
Smarter Technology

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
ZDE Cluster 2

Dropbox Password Protection Function Disabled By Bug

More Security Coverage

A bug in the code let anyone access any Dropbox online storage account by typing in a random string as a password over a four-hour period.

Related Content

Follow @ChannelInsider < Prev | Next >

Follow @ChannelInsider
< Prev | Next >