Print
A little snafu over at Dropbox HQ has served to remind us how imperfect the cloud still is for storage of all our personal data. Over the weekend, an observant user noticed that following a password change, he was able to log into his cloud storage account with any password at all, even if it was just one letter long. Weird, right? Well it turns out it wasn’t just him. Anyone could log into any Dropbox with any password.
It was a PhD candidate at Indiana University by the name of Christopher Soghoian that noticed the issue. He clued a friend in, who contacted Dropbox. A quick response from Dropbox founder and CTO Arash Ferdowsi indicated they had found the source of the problem and corrected it. It only took about an hour from the time the user notified Dropbox, but the exploit may have been possible for some time before that.
We’re wondering if this sort of incident changes you opinion of cloud storage. Should we be looking toward local storage of the most sensitive data, or do we just need to demand more accountability?
Comments are closed on this article
stradric
June 21, 2011 at 6:53am
People are rather silly to fully trust any corporation. I've always operated my Dropbox under the assumption that any Dropbox employee could view all the contents of my Dropbox at any time. As such, I encrypt sensitive material and only put it up there if it's absolutely necessary or provides me with enough utility that it's worth it (keepass database for example).
I've always treated Dropbox as very suspect. What do they get by offerring me 2+GB of free storage? Are they analyzing my files and building some kind of profile on me that they can sell to Choicepoint or whoever? I have no idea, but I can't deny that it's a service that I find incredibly useful.
This news just galvanizes my concerns.
kixofmyg0t
June 21, 2011 at 8:31am
Good idea, but you should have the idea that ANYONE could access your data....cuz that's exactly what happened.
I have yet to use Dropbox(even though I have it installed on everything).
However I never did trust "the cloud". After this stunt Sugarsync is looking worlds better.
kixofmyg0t
June 21, 2011 at 4:54am
I got a better question, how the F did this even happen? You could log into ANYONE'S Dropbox with ANY password? What did they just erase all permission rules?!?
Even Sony's PSN was more secure than that....
aarcane
June 20, 2011 at 10:54pm
There's nothing wrong with cloud storage. using something like Amanda backup to Amazon S3 is perfectly reasonable, so long as you take sole responsibility for encryption and verification of your content. Setting up Amanda is remarkably easy and remarkably flexible, and Amazon S3 is a drop-in replacement (or addition) to disk-or-tape-based archival.
Brdn666
June 20, 2011 at 7:57pm
This doesn't change my opinion on cloud storage, because I personally don't store anything on dropbox that'd be worth taking. And if I did, I'd use truecrypt first to make it secure on my own terms.
Neufeldt2002
June 20, 2011 at 6:48pm
Never had much faith in the cloud anyway. This just reaffirms my position.
ShyLinuxGuy
June 20, 2011 at 6:33pm
LOL, spammers. "Wonderful." Yup, people's Dropboxes left wide open are just "Wonderful." /sarcasm
'kay, don't these spammers know they will have very little to no success on scamming on a tech site? Maybe a site where you have a lot of uninformed and naive people, like Nickelodeon or Better Homes & Gardens, but a tech site mainly comprised of net-savvy people? I know it might be automated and all, but they're just wasting bandwidth and CPU cycles on us. Either that or someone has TOO MUCH time on their hands and needs to get a life. They need to understand that they need to stop this bullsh*t, or at the very least, stop targeting people who are *definitely* not going to fall for their scams.
/end of rant
