simplified signon: No password needed for dropbox

DropBox inadvertently implemented simplified signon yesterday when a code change negated the need for passwords for around 4 hours. The bug was published at 1:54pm Pacific time, discovered at 5:41pm and a fix was live at 5:46. For a change that quick, I guess they either rolled back the authentication code, or it was a really simple bug – like maybe a bypass used for testing in development?

5 minutes is pretty damn quick for change request approval and update. I can’t see it happening in any large organisation I’ve worked for so I’ve got plenty of praise for a rapid response. On the flip side, weak change control is probably why the bug got through in the first place.

All users logged in at that time have been sent logs to review any anomalies for themselves. Hmmm…. crowd sourced security investigations? To the potentially compromised users themselves? Probably not the greatest idea. But still, if you don’t have any better technology to do it (maybe an adaptive risk engine could help?) it’s better than some alternatives – doing nothing or adding more eyeballs who don’t really know what to look for.

In related news, ATC-NY has released a forensic tool that allows private files on the Dropbox online hosting service to be read.

Might need to rethink my personal cloud storage approach. Is anyone else any better?


Leave a Reply