Dropbox lets anyone log in as anyone - so check your files now!

Filed Under: Cryptography, Data loss, Privacy

Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they've entrusted to the service, following the company's admission that it messed up its access controls for several hours.

(Updated: please see footnote below.)

Unlike the majority of data breaches we've reported on lately - where usernames and passwords were stolen, allowing attackers and miscreants to access other people's accounts illegally - Dropbox's "hack" was of a more embarrassing sort.

Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people's accounts without knowing their passwords at all. (Dropbox isn't alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg's own fan page being hacked.)

Ouch.

One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I'm working at home and have a huge spreadsheet which I know my IT manager won't let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.

In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you're not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files - such as malware - besides the spreadsheet you just saved on it.)

But the safety of a web link allowing you to share a file "through the cloud" depends very strongly on who's able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.

Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.

In the company's own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.

That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.

Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.

But the "eternal beta" flavour of many cloud services - where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users - is an often-underestimated risk.

By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don't have the password, you won't be able to alter their content, either.

If you're interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.

* Download now (direct download, no registration, Windows only)

* Learn more

Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can't see if someone else has been snooping through your data.

Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.

If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.

, , , , , , , , ,

You might like

12 Responses to Dropbox lets anyone log in as anyone - so check your files now!

  1. Michael · 1222 days ago

    Is there a Mac version of the encryption software available or coming?

    • George · 1123 days ago

      The best free, open, and multi-platform encryption solution is Truecrypt. Perfect if you're a Mac, or Linux, or Windows, or Android user :)

  2. bswins · 1222 days ago

    Paul,

    As Sophos' free tool is Windows only, I'd be interested to hear your recommendations for similar applications for Mac users.

    I've read a plethora of reviews of the various Mac solutions available, but I'm curious if you and/or the Sophos team have some personal favorites that you would be willing to share?

    Cheers!

    bswins

  3. Alex · 1222 days ago

    For a quick option, although the UI is a little techie, Mac users can use the built-in "Disk Utility" (under Utilities in the Applications folder) to create an encrypted container that you can put files in.

    Instructions here on Apple's website: http://support.apple.com/kb/ht1578

    Only catch is that you'll only be able to decrypt those files on a Mac.

  4. well i found this (http://www.sophos.com/en-us/products/free-tools/sophos-free-encryption.aspx) but its a pain to download. I used the Windows version and I like it (it seems way easier to use than TrueCrypt). It'd be nice to have a Mac version as well.

    • Paul Ducklin · 1222 days ago

      If you click on either of the "Download now" links in the article, there's no pain at all in downloading - the URI takes you directly to the executable. (No registration form. You don't even have to give us a made-up email address.)

  5. I think the "Beta" moniker is a wonderful tactic. It allows you to point to it whenever an issue arises. The fact that people trust important data to a 3rd party without really considering the ramifications is disturbing. But they do, and they do it often. And to be fair, I'm in that category as well.

    While cloud technology is growing by leaps and bounds and the adopters of it are increasing exponentially, shouldn't we stop for a minute and just think about it? There is a rather interesting thing about clouds; they can obfuscate.

    • Mark · 1068 days ago

      "Beta" is a sensible warning label and any user downloading such software would be better off learning exactly what it means and making an informed choice whether to use such appropriately labelled software. That said, "beta" software should have strict standards of quality control (no bugs currently known about at the time of release) and certain software should never really be released to the wider public in beta testing (such as those that manage sensitive or mission critical data).

  6. Bob · 1222 days ago

    Is there a IOS version ? Nice feature of DropBox is that I can get to my files from iPhone or iPad.

  7. Chris Nystrom · 1150 days ago

    Apparently one can not use dropbox with Sophos anyway. Sophos blocks dropbox installation.

    • I don't believe we block the installation of DropBox by default. Speak to your network administrator - it is probably they who have configured Sophos to block installation of Dropbox.

  8. Erik · 341 days ago

    Not sure about Microsoft Office, but I use Libre Office and it is possible to encrypt your files with a password (I think the same is true for OpenOffice/ApacheOffice).

    That way you won't have to bother with the extra layer of a disk encryption program such as TrueCrypt (which I use when the program doesn't offer encryption).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog