Dropbox, leading cloud computing service, suffers security failure

Since the announcement of iCloud, cloud computing and other cloud services have leapt from the tech-world and into the world at large. With this excitement and popularity has come a fair amount of scrutiny, mainly asking whether cloud services can keep our data safe and secure?

For leading cloud-service Dropbox the answer to that question was yes — until Sunday.

It had been reported that on Sunday some users noticed they were allowed into their Dropbox account after entering the wrong password.

Confirming the reports, Dropbox has now revealed that what happened was that for four hours there was a “bug” which made every Dropbox account accessible, regardless of password details.

Writing on the cloud service’s blog, Arash Ferdowsi, co-founder and CTO of Dropbox explained:

…we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

Ferdowsi went on to say that: “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”

Whilst Dropbox, like all cloud computing services, continually lauds how safe it is, this is not the first security issue it has faced.

In April, Dropbox amended their Security Terms of Service (ToS) to say that employees are barred from viewing their data. However, following this amendment, a complaint was laid with the US Federal Trade Commission alleging that Dropbox makes “deceptive statements to consumers regarding the extent to which it protects and encrypts their data”. The key contention of the complaint was that prior to the amendment, their ToS had promised that employees were unable to view your data.

However, Ferdowsi, in an earlier a blog in April said,

In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement — it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions.

The contents of a file will never be accessed by a Dropbox employee without the user’s permission. We can see, however, why people may have misinterpreted “Dropbox employees aren’t able to access user files” as a statement about how Dropbox uses encryption, so we will change this article to use the clearer “Dropbox employees are prohibited from accessing user files.

However, despite this argument, which was reinforced in emails Memeburn received from Dropbox some users are still of the opinion they were “misled”.

In the comments to Ferdowsi’s initial post, some readers went as far as to say they were dropping Dropbox as a result of the “serious security stuffups” and “purposeful lies”.

In what was probably an attempt to calm them, Ferdowsi updated the blog writing that Dropbox was “working around the clock” gathering additional data and looking for potential “unauthorised activity”.

The update also said, “We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates”.

Image: myce.com

*Memeburn correction — This article was corrected to reflect the fact that Dropbox’s amendment of its ToS preceded the FTC complaint. Originally the article had stated the ToS amendment followed the FTC complaint.