![]() In a blog post, co-founder Arash Ferdowsi wrote that "Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. On June 20, 2011, TechCrunch reported that all Dropbox accounts could be accessed without password for four hours. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access." In response to the FTC complaint, Dropbox spokeswoman Julie Supan told InformationWeek that "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21." June 2011 account access without password We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In a response on its blog, Dropbox wrote that "Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. At the heart of the complaint was the policy of data deduplication, where the system checks if a file has been uploaded before by any other user, and links to the existing copy if so and the policy of using a single AES-256 key for every file on the system so Dropbox can (and does, for deduplication) look at encrypted files stored on the system, with the consequence that any intruder who gets the key (as well as potential Dropbox employees) could decrypt any file if they had access to Dropbox's backend storage infrastructure. Federal Trade Commission alleging Dropbox misled users about the privacy and security of their files. In May 2011, a complaint was filed with the U.S. this 'flaw' exists with any service that uses cookies for authentication (practically every web service)." May 2011 data deduplication and employee access ![]() In reality, at the point an attacker has physical access to a computer, the security battle is already lost. In explaining the issue, Newton wrote: "This means that if you gain access to a person's config.db file (or just the host_id), you gain complete access to the person's Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface." He updated his post in October 2011 to write that "Dropbox has release version 1.2.48 that utilizes an encrypted local database and reportedly puts in place security enhancements to prevent theft of the machine credentials." A report from The Next Web featured a comment from Dropbox, in which they disagreed with Newton that the topic was a security flaw, explaining that "The researcher is claiming that an attacker would be able to gain access to a user's Dropbox account if they are able to get physical access to the user's computer. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords a July 2011 privacy policy update with language suggesting Dropbox had ownership of users' data concerns about Dropbox employee access to users' information July 2012 email spam with reoccurrence in February 2013 leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption the leak of 68 million account passwords on the Internet in August 2016 and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.Īpril 2011 user authentication file information ĭropbox has been criticized by the independent security researcher Derek Newton, who wrote in April 2011 that Dropbox stored user authentication information in a file on the computer that was "completely portable and is not tied to the system in any way". Criticism of Dropbox, an American company specializing in cloud storage and file synchronization and their flagship service of the same name, centers around various forms of security and privacy controversies.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |