Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they’ve entrusted to the service, following the company’s admission that it messed up its access controls for several hours.
(Updated: please see footnote below.)
Unlike the majority of data breaches we’ve reported on lately – where usernames and passwords were stolen, allowing attackers and miscreants to access other people’s accounts illegally – Dropbox’s “hack” was of a more embarrassing sort.
Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people’s accounts without knowing their passwords at all. (Dropbox isn’t alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg’s own fan page being hacked.)
Ouch.
One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I’m working at home and have a huge spreadsheet which I know my IT manager won’t let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.
In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you’re not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files – such as malware – besides the spreadsheet you just saved on it.)
But the safety of a web link allowing you to share a file “through the cloud” depends very strongly on who’s able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.
Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.
In the company’s own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.
That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.
Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.
But the “eternal beta” flavour of many cloud services – where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users – is an often-underestimated risk.
By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don’t have the password, you won’t be able to alter their content, either.
If you’re interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.
* Download now (direct download, no registration, Windows only)
Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can’t see if someone else has been snooping through your data.
Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.
If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.