Vulnerability in Dropbox security leaves user accounts wide open
No bones about it: Dropbox security just took a huge dive in user confidence. This past Sunday, Dropbox user accounts — all of them — were open and accessible to the world, no password required. What’s worse — the fact that the Dropbox security team must not have adequately done QA on its patch that left all accounts unsecured, or the fact that they acted like nothing happened for almost a day, until they posted a very unemotional update to their blog?
My favorite part of the Dropbox blog notice: “The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST.” It’s like a subtle pish-posh on your worries for your data. Nothing to see here! Your files and data were only unprotected for four hours. Or, as I like to think about it, it only took Dropbox four hours before it noticed that it broke its own encryption.
Actually, it appears that Dropbox only noticed the error when one of its users, Chris Soghoian, discovered the issue and sent in a support request. The failure to acknowledge the concerns of its users and the fact that as of June 21, Dropbox still hadn’t notified all of their users directly, has made a lot of people upset. I’m not sure I can blame them: We’ve said before that the truest test of a company’s strength is how it reacts to bad situations exactly like this one.
We’ve recommended Dropbox as a nice free business app for your iPad in the past, and we’ve also reported on the FTC complaint that Dropbox security wasn’t up to par and recommended that you go through the extra step of adding a secondary encryption by using Dropbox and TrueCrypt. Undoubtedly, trolls in tinfoil hats will now use this as an opportunity to feed more cloud paranoia, but let’s look at this misadventure with a little perspective: Your own desktop is probably more vulnerable to outside attack than most cloud services, and rarely is a desktop vulnerability noticed in only four hours.
Yes, Dropbox promised it was free awesome encryption and data storage. So do a lot of cloud providers, and we’ve learned from many examples that there is no such thing as “too big to fail“. As CIO Marc Seybold said in this week’s news story, “You can put all the antivirus software in the world on the network, but something will still make its way past those defenses.” As with so many things, Dropbox and all public cloud options (hello, Google, I’m looking at you) have always been caveat emptor.
I’ll still use Dropbox as a convenient service for my own data storage, but just as before, I’m not putting anything on it that I wouldn’t want my grandmother (or a hacker) to see.