Last month I wrote about a small security problem with ultra-popular cloud file storage and sharing service Dropbox. Because of a bit of lazy programming by the Dropbox devs, copying a file from one computer to another eliminates the necessity to log on to Dropbox with your password on the second computer. It isn't a huge security hole because a potential cracker has to be able to get onto your computer in order to grab the file.
This is a completely different problem -- a much bigger problem.
Sharp-eyed doctoral candidate Christopher Soghoian caught Dropbox in a bit of, uh, let's call it an inconsistency. Here's what he found.
When you set up a Dropbox account, you establish a folder on your PC that's shared and synced with similar folders on other PCs, Macs, iPads, mobile devices, whatever. You brand the folder and its contents with an email address and a password. To get into the folder -- online on the Dropbox website, or on another computer, pad, or smartphone -- you have to provide the correct email address and password.
When I wrote the original article -- indeed, when I started using Dropbox -- I assumed that I was the only person with the password for my folder. Wrong.
Soghoian found an anomaly. Even though Dropbox claimed, "All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." Yet the company also claimed, "If we detect that a file you're trying to upload has already been uploaded to Dropbox, we don't make you upload it again. Similarly, if you make a change to a file that's already on Dropbox, you'll only have to upload the pieces of the file that changed."
How, Soghoian asked, could Dropbox find duplicate files -- or detect which pieces of a file had changed -- if it didn't have access to the contents of those files? Dropbox responded with a resounding thud.
On April 12, the Dropbox help site said:
Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)... All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.