Dropbox left login door open for 4 hours

Dropbox has admitted that an erroneous code update on Sunday 19 June allowed logins without authentication and allowed users to access files held by other users of the file synchronisation service. This occurred at 9:54PM UK time and the error went undetected for just under four hours until Dropbox discovered it (at 1:41AM); a fix was deployed in five minutes and all logged in sessions were dropped. According to Dropbox, less than one per cent of users logged in during that time were affected. Dropbox plans to inform users who had login activity during that period that they may be affected.

The popular service has found itself in the security limelight this year and this latest incident will not help its reputation of having weak security by design. Earlier this year, Dropbox found users could circumvent permissions on files by exchanging file hashes. A developer created an application called Dropship which allowed people to use Dropbox as a file sharing alternative to Torrents; Dropbox then changed its backend services to stop Dropship functioning.

In April, a researcher found that it was possible to duplicate configuration files from a Dropbox client on another machine to gain access. Dropbox has since been rolling out a more secure client. Dropbox has also been called out on its encryption and access claims – originally it said that "no one" could see data stored in the system. It has since rolled back those claims stating that employees can access the files when legally required.

(djwm)