June 21, 2011

Perhaps They Should Have Tested More - Dropbox

During a recent code push, web-based file storage firm Dropbox introduced a bug in their authentication mechanism - allowing unprotected access to accounts for four hours.

Reaction to this particular bug was widespread:

  • "allowed users to log into accounts using any password"
  • "gaping security holes"
  • "a significant embarrassment for Dropbox"
  • "Too bad I no longer trust them"
  • "Even as a free service they're not worth the trouble"

From the Dropbox web site's Help section:

How secure is Dropbox?

Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military.
Dropbox takes the security of your files and of our software very seriously. We use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure. Your files are backed-up, stored securely, and password-protected.
I'm sure they are usually password-protected.  Unless there is a bug in the authentication mechanism.  In which case they are not actually password-protected at all.

Perhaps they should have tested more.

See also:

No comments:

Post a Comment