X
Innovation

Did the DropBox security lapse poison the well for iCloud?

For four hours on Monday, cloud-based storage provider DropBox allowed anyone to log into any account with any password. What will the ramifications be to iCloud?
Written by Jason D. O'Grady, Contributor

For four hours on Monday, cloud-based storage provider DropBox allowed anyone to log into any account with any password. Take a second to read that first sentence again.

Scared? You should be.

If you're like me (and most regular iOS users, I suspect) you're a heavy DropBox user. Dropbox is deeply integrated into so many iOS apps and it bridges the gap left by iOS' lack of a real file system -- making it practically a requirement. It's no wonder that the service has 25 million users.

The sad part in this whole sordid tale is that Dropbox hoped to sweep it under the rug and only fessed up about the vulnerability after the media picked up the story.

Fred Oliveira said it best:

Here’s the company’s blog post about the vulnerability:

Hi Dropboxers,

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at security@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

-Arash

Dropbox's second black eye (in as many months) has certainly shaken my trust in Dropbox, even though I don't use it as much as I used to.

The big question is what, if any, will the ramifications be to iCloud? Apple hasn't commented on the encryption scheme that iCloud will use, but let's hope that Apple takes a long, hard look at its iCloud security in light of this high-profile privacy flub by the "big dog" in the industry.

The lesson here is simple: Don't put anything on "the cloud" that you wouldn't want someone else to get access to -- unless it's encrypted on the client end. I still recommend Wuala for cloud-storage because it lets you hold the encryption keys.

How does the latest Dropbox fiasco leave you feeling about iCloud and cloud-based storage in general?

Further reading:

Editorial standards