Become a fan of Slashdot on Facebook


Forgot your password?
Cloud Bug Data Storage Security Hardware

Dropbox Password Goof Let Any Password Work For 4 Hours 185

tekgoblin writes "Dropbox confirmed today that for some time yesterday, any user's account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST." "Only" is relative; as reader zonky puts it, "It took around 4 hours from deployment for Dropbox to notice they'd entirely broken their authentication scheme."
This discussion has been archived. No new comments can be posted.

Dropbox Password Goof Let Any Password Work For 4 Hours

Comments Filter:
  • Regression testing (Score:5, Informative)

    by Bogtha ( 906264 ) on Tuesday June 21, 2011 @08:04AM (#36510846)
    This is why automated regression testing is a best practice. I guess Dropbox don't test their authentication.
  • by Richard_at_work ( 517087 ) <> on Tuesday June 21, 2011 @08:10AM (#36510902)

    No, they have never claimed that the password was involved in the encryption they use - they use one single encryption key for all data stored. Their terms of service did say that your data is inaccessible without your password, but this is nothing more than permissions rather than per-account encryption.

    There has been lots of valid shit thrown around about Dropbox over the recent weeks, but please do try and get stuff right before you complain.

  • by Richard_at_work ( 517087 ) <> on Tuesday June 21, 2011 @08:32AM (#36511086)

    Again, no - its been well documented that Dropbox does global deduplication and single instance storage, across all data in their database. That would not work anywhere near as well for them if each account used its own encryption key - until they turned it off recently due to abuse, you could shove an Ubuntu iso into your local Dropbox and have it "synced" 100% in seconds, as the Dropbox servers realise that they already have it in their global pool, and simply tell your client not to upload it.

    So yes, they use a single key.

Forty two.