James Delahunty
21 Jun 2011 10:31
Popular cloud-storage solution experiences huge security lapse.
Dropbox founder and CTO Arash Ferdowsi used the company's blog to explain a major bug with the Dropbox authentication mechanism. On Sunday, Dropbox updated some code and unknowingly introduced a bug affecting its authentication mechanism, which potentially exposed its users data to anybody.
Between 1:54pm and 5:41pm (Pacific time), users could have logged into accounts without the correct password. Ferdowsi says that a very small number of logins were made during that time (much less than 1 percent of userbase.) After the problem was discovered, it was fixed (and was live) within minutes.
Dropbox is now conducting an investigation to determine if any accounts were improperly accessed. Upon finding the bug, all logged in sessions were ended as a precaution. If the company finds that any unauthorized account use happened during the time the system was vulnerable, it will alert the account holder immediately.
"This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.," Ferdowsi said.
"We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates."
If you have any reason to believe that your Dropbox contents have been accessed or altered, you can get in touch with the Dropbox team at support@dropbox.com.