The good, bad & ugly of Dropbox authentication error

Businesses need to review cloud permissions and policies in light of online file storage security mishap

Online storage service Dropbox made an embarrassing error Monday, turning off password authentication for millions of users.

The company updated some code on the service just before 2:00 pm Monday, yet the new code included a bug that switched off the need to authenticate to access files on a Dropbox. This means that every file on every Dropbox could have been accessed without requiring any credentials to do so. The company figured out what it had done just before 6:00 pm and quickly closed the hole, but for four hours, users' documents were readily accessible to anyone who was looking.

It's the latest black eye for security in a cloud-based world, following on the likes of Sony's PlayStation Network debacle and other LulzSec shenanigans and high-profile downtime for cloud giants like Amazon.

But, if you'll pardon the pun, they say there's a silver lining to every cloud. So let's start by taking a look at what went right in this instance, and then get into what went wrong.

The Good: Transparency

Dropbox was upfront with this miscue, with CTO Arash Ferdowsi explaining the problem, what caused it, how it was fixed and who was affected in a Monday evening blog post. The company says that "as much as one percent" of its 25 million-plus user accounts were accessed during the security outage.

Since then, it has twice updated that post with the latest information, and says it is sending email to any accounts accessed during the four-hour breakdown with details of activity for user review.

As with any new technology, making sure users trust the cloud is key to its uptake and therefore usage. Amazon took a beating for its silence during its April AWS outage, and justifiably so. By getting out front of this issue, Dropbox minimized the damage to its brand and product and probably made it more likely that users will trust it in the future. So that's good.

The Bad: A Troubling History

However, if Dropbox has a heightened level of sensitivity around security issues, it's probably well deserved. In recent months, the company has been criticized for misleading users about the level of encryption is uses and had an FTC complaint filed against it for the same problem. And for good measure, it's been called out for its stance on handing files over to authorities upon request.

Any one of those problems could be reason enough for a business to stay away from the service. But the fact that all of them--including Monday's little oopsie--occurred over the last 12 weeks should have business owners and IT managers thinking about other options or crafting policies on what can, and more importantly cannot, be stored in a Dropbox account.

The Ugly: Leaving The Door Unlocked

This week's error is particularly onerous. It's not good that encryption isn't up to snuff and it's even worse if Dropbox tried to mislead its users about that. And although it's common policy in cloud services' terms of service, it's disquieting to think that your data can be handed over to the government without your knowing.

But turning off password authentication? That's a whole new level of troubling.

It's sort of like a landlord that promises some level of physical security leaving the doors to your office unlocked overnight.

It's unacceptable that this bug made it into production. Even if only one in 100 Dropbox users' access accounts were accessed during that time, 100 in 100 users' accounts were at risk. And even accepting Dropbox's low estimates, that still means that data from 250,000 users was out there, unprotected.

The Upshot: More Cloud Questions

At a time when small businesses are confused about the cloud and what it has to offer, blatant but avoidable errors do nothing to quell those concerns and fears.

For small businesses, it points out the need to be wary of free or low-cost online services, to do due diligence on any services that you're allowing users to build into their workflows, and to have policies in place that dictate what services can be used and with what types of data.

Dropbox and other tools like it can offer tremendous boosts in productivity, particularly in an era where more users are connecting to work through more devices than ever before. But tools that are meant to be consumer-grade need to be thoroughly examined and the risks understood before any kind of sensitive business data is allowed onto the cloud.

Errors like this are going to happen. That's nearly impossible to avoid as cloud providers scramble to scale and add new features. Businesses need to decide where to draw the line in balancing convenience with security.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesapplication developmentWeb services developmentWeb-based ApplicationsapplicationsdropboxUtilitiesweb servicesinternetdata protectionsecuritybackupsoftwareencryption

More about Amazon Web ServicesDropboxetworkFTCSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Dutt

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place