BreachExchange mailing list archives

unconfirmed: Dropbox Left User Accounts Unlocked for 4 Hours Sunday

From: security curmudgeon <jericho () attrition org>
Date: Mon, 20 Jun 2011 21:09:09 -0500 (CDT)


[The incident is confirmed. If any private data was taken during this 4
  hour window is unconfirmed. - jericho]

http://www.wired.com/threatlevel/2011/06/dropbox/

Dropbox Left User Accounts Unlocked for 4 Hours Sunday
By Ryan Singel
June 20, 2011

At a time when hackers are on a tear looting information willy-nilly from 
insecure sites on the Web, Dropbox did the unthinkable Sunday . it allowed 
anyone in the world to access any one of its 25 million customers. online 
storage lockers . simply by typing in any password.

Dropbox, one of the most popular ways to share and sync files online, says 
the accounts became unlocked at 1:54pm Pacific time Sunday when a 
programming change introduced a bug. The company closed the hole a little 
less than 4 hours later.

The bug was reported on Dropbox forums and on Pastebin (via security 
researcher Christopher Soghoian).

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/

Current thread:

unconfirmed: Dropbox Left User Accounts Unlocked for 4 Hours Sunday security curmudgeon (Jun 21)