Did the DropBox security lapse poison the well for iCloud?

Did the DropBox security lapse poison the well for iCloud?

Summary: For four hours on Monday, cloud-based storage provider DropBox allowed anyone to log into any account with any password. What will the ramifications be to iCloud?

SHARE:
TOPICS: Cloud, Apple
20

For four hours on Monday, cloud-based storage provider DropBox allowed anyone to log into any account with any password. Take a second to read that first sentence again.

Scared? You should be.

If you're like me (and most regular iOS users, I suspect) you're a heavy DropBox user. Dropbox is deeply integrated into so many iOS apps and it bridges the gap left by iOS' lack of a real file system -- making it practically a requirement. It's no wonder that the service has 25 million users.

The sad part in this whole sordid tale is that Dropbox hoped to sweep it under the rug and only fessed up about the vulnerability after the media picked up the story.

Fred Oliveira said it best:

Here’s the company’s blog post about the vulnerability:

Hi Dropboxers,

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at security@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

-Arash

Dropbox's second black eye (in as many months) has certainly shaken my trust in Dropbox, even though I don't use it as much as I used to.

The big question is what, if any, will the ramifications be to iCloud? Apple hasn't commented on the encryption scheme that iCloud will use, but let's hope that Apple takes a long, hard look at its iCloud security in light of this high-profile privacy flub by the "big dog" in the industry.

The lesson here is simple: Don't put anything on "the cloud" that you wouldn't want someone else to get access to -- unless it's encrypted on the client end. I still recommend Wuala for cloud-storage because it lets you hold the encryption keys.

How does the latest Dropbox fiasco leave you feeling about iCloud and cloud-based storage in general?

Further reading:

Topics: Cloud, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Until now, Apple has good history of protecting accounts of its users with

    no hacks and/or significant leaks in whole like seventeen years of their Internet presence.<br><br>There was one tiny leak of iTunes accounts information few years ago, however, it was not established to relate to any security flaw on Apple's servers (likely more to do with clients' Windows computers, from where login/password pairs were stolen).

    However, lets see how well Apple will face even bigger scale internet activity with the iCloud.
    DDERSSS
  • Umm, no,

    Apple users tend to have cognitive dissonance when it comes to any flaws of Apple. icloud will never fail because it is magical and revolutionary. This, despite the fact that Safari web browser and its webkit derivatives have an inordinant amount of vulnerabilities
    Your Non Advocate
    • RE: Did the DropBox security lapse poison the well for iCloud?

      @facebook@...

      .... when running under windows. I presume.
      macgregor@...
  • Signs are unclear

    I think iCloud may have a greater chance of being secure because it seems to only be accessible from an iOS or OSX device. Currently Apple has not said anything about a web interface to iCloud, only device/app interfaces. They also haven't said much about how "files" will be stored, or if they are even openable files without accessing them through a compatible iCloud app (will pages docs be .pages files or some other form of data?). Or if there is any level of encryption applied to your data.
    It seems like iCloud should be about as secure as mobileMe email, although I hope Apple updates their security policy to suggest/require you update your password at some interval.
    I'm curious to see if it will "just work" or not.
    alexwt
  • Security = Necessity

    I think we're going to begin seeing a new focus on security with our cloud products - I personally use HomePipe as the founders come from a strong security background and my content isn't actually stored in the cloud - it merely allows me to access my original content without me "dragging and dropping" or creating a copy of the document.
    ashleye427
    • RE: Did the DropBox security lapse poison the well for iCloud?

      @ashleye427
      well said "Security = Necessity".
      It was actually a FBI request to give full access for an hour to any account so they can be inspected for terror links and DMCA violations.
      Linux Geek
  • just one thing about Wuala...

    it's a common mistake to believe that you hold your Wuala encryption keys: you don't. They're not stored locally at all, not even hidden on your Wuala network drive. You do create them remotely though at account and first encryption creation time, but they're stored on the server. They still can't be used by anyone else than you as again they're generated after your username and password and only you hold the key to your keys. Another thing: Wuala is not a hundred percent secure. Data is encrypted before it leaves your system (actually on the network drive) but there's no ssl: connection is not encrypted, allowing eavesdroppers to intercept your data and evaluate it, i.e. compare the fingerprint of an encrypted file to a known file. Interception gives a download link to the encrypted file... then you can tell the exact size. Anyone can check that with MS Fiddler used as a proxy. Officially Wuala doesn't want to use ssl for performance reasons... officially...<br><br> This said Wuala is still a million times more secure than DropBox. The sort of attack I described (and acknowledged by the wuala team) can be a threat for pirates and hackers. Strictly private data is absolutely safe.<br><br>edit: just adding that obviously DropBox encryption scheme - at server level - is the worse one can imagine. The keys are not password/user dependent, they're DB team keys, explaining how after being granted the ability to open accounts during 4 hours, any password could allow to read the data.
    philippe s.
  • RE: Did the DropBox security lapse poison the well for iCloud?

    <I>"The lesson here is simple: Don?t put anything on ?the cloud? that you wouldn?t want someone else to get access to"</I>

    But Google wants us to! I trust them with it, Google can't be hacked, right?


    Oh, wait....
    The one and only, Cylon Centurion
  • as to iCloud...

    just time will tell... funnily Jobs forgot to mention anything about iCloud security at this dev event... iCloud should be like MS LiveMesh or Skydrive, offering ssl transmission and access but no data encryption at server level.
    philippe s.
    • Actually ...

      @philippe s.
      Jobs did make one brief mention that "everything is encrypted" then said something like "for storage and transmmission" (can't remember his exact wording now), but he didn't get specific about what form of encryption.
      jscott69
  • DropBox makes me re-think everything &quot;Cloud&quot;

    For me this incident coupled with the Facebook face recognition debacle brought several realizations:

    - Cloud based architecture cannot be blindly trusted. They are calling this a bug, but the fact that it was fixed in less than five minutes leads one to believe they have a giant authentication off switch designed into their system.

    - Users used to know when upgrades were happening and have the choice to opt-out of upgrades. When web apps just stored my settings, that was fine, but the distinction between "cloud" and "online" to me is determined by how critical the service is. Critical application (ie Cloud) users deserve notice. It may be impossible to let some users opt-out of cloud upgrades, but users should at least be given the courtesy of advanced notification including change details.

    - Users need to trust a development shop?s ability to deliver quality code. This isn't a measure of developers, it's really a measure of the processes an organization wraps around the developers. Cloud based apps should have to disclose how they tested.

    Based on recent events around DropBox, I get the impression they are a bunch of cowboys. This may be totally wrong, but that?s the impression. Most web start-ups would never make if they couldn?t be cowboys in the beginning, but there comes a time when an organization needs to grow up. A previous comment from an Apple fanboy is partially justified just for that reason. I trust that Apple, Google, Microsoft, Oracle, etc will follow proven life cycle processes and quality control to prevent really dumb things from happening too often.

    If you like this train of thought, I wrote an article geared more towards users on this same thing at International Business Times. It?s called ?Is It Time for an Online Bill of Rights??
    HealthyPasswords
    • I totally disagree

      @HealthyPasswords
      Cloud based architecture can and should be blindly trusted when the service provider is Apple. There has never been any viruses on OS X and there never will be due to the fact that OS X is UNIX and UNIX is hacker proof.
      woulddie4apple
    • That's what I was thinking ...

      @HealthyPasswords
      I'm not a DropBox user, but I've certainly checked out the service and considered it. And, despite their failings, I believe they still provide a useful, viable service.

      That said, my impression is that they're still in that quick-and-dirty startup phase, where there's less process and more immediate tweaks.

      Their willingness to quickly make changes and improvements is a big part of how they became successful: DropBox folks were willing to try something different. And it worked. And it grew.

      But when you start having thousands of users -- let alone millions -- you have a responsibility and obligation to think things through before you dive into the code and proceed methodically.

      As to whether DropBox has a "master on/off switch" or not ... sure they do: it's in their code. All they'd have to do is comment something out or perhaps mess up the code regarding the password check. But that's the same with any site/app. All it takes is one little character to create a syntax error or other logic flaw. Good companies build in safeguards to prevent such things from happening -- either error-checking code or at least processes to minimize the chance of bad code being introduced.

      I would be surprised if Apple's, Microsoft's, Google's or any other large enterprise like them would have this kind of problem these days. It could happen -- stuff does -- but it's less likely at established businesses with proven development practices and experience.
      jscott69
  • No, I'm sure this will get mis-categorized...

    as just a 'Drop Box' issue...

    The people who want to use iCloud (or any other cloud service) will rationalize their use by "That kind of stuff happens to the other companies, not Apple (or whoever), and it won't happen to me"

    Just like, people still think "Macs don't get viruses, that's a Windows problem"

    Moreover, there's also a large group of people that just don't know about who's looking at their data in the cloud (or they don't care, or both)

    If anything, this just poisons Drop Box's head start up to this point.
    UrNotPayingAttention
  • iOS lacks a real file system?

    "Dropbox is deeply integrated into so many iOS apps and it bridges the gap left by iOS? lack of a real file system"

    There are flaws in an apple product? Impossible.
    otaddy
    • RE: Did the DropBox security lapse poison the well for iCloud?

      @otaddy <br><br>A flaw? No, a design choice. Not one that I like, nor one that I would have made. But it was a design choice none the less. <br>What I really find interesting is how an article about drop box manages to bring out the Apple Bashers.
      house63
  • RE: Did the DropBox security lapse poison the well for iCloud?

    For the first 5 years icloud like solutions are not viable for large data storage. Besides we will never know who looked into our data anyhow. Most people will use their accounts for storing music, pictures and a handful of other files. If Mobile Me is anything to go by, Icloud will be a disaster anyhow. I never managed to upload more than a few Gigabyte without getting numerous errors and honestly spoken, I would not entrust Apple or any other company with unencrypted important data.
    rhon@...
  • RE: Did the DropBox security lapse poison the well for iCloud?

    Huh?

    Dropbox (which I use and like) has been pretty successful. It has had less problems than the hard drives on my PC. Or the 15 broken hard drives I have accumulated from a bunch of Thinkpads over the years.

    Yes, there was a problem. Yes, there will be more. Some will be serious. As a user of dropbox, if I want to have something REALLY secure, I'll encrypt it strongly before I send it there. It's called responsible computing. I play a part. I can't expect every frigging coder out there to do everything right 100% of the time. I code and I don't.

    Dropbox's problems don't influence me one iota regarding iCloud. If I ever use iCloud, I'll assume it's vulnerable and act accordingly. If you don't you are an idiot and deserve to be violated, regardless of your platform choice.
    macgregor@...
  • Since it appears they fixed it almost instantly

    it sounds like much ado about nothing to me.
    Laraine Anne Barker
  • review on angry birds iphone case - angry birds iphone 4 case

    Files entrusted to cloud-storage provider Dropbox were susceptible to unauthorized access via three attacks devised by security researchers, but the provider has since closed the vulnerabilities.

    Dropbox could also be used as a place to store documents clandestinely and retrieve them from any Dropbox account controlled by an attacker.

    Researchers who presented their work at USENIX Security Symposium say they had developed the exploits last year but gave Dropbox time to fix the problems before making the exploits public.

    "You get what you pay for" sums up the Element Vapor Comp iPhone case. It truly is an absolute top of the line iPhone casing which is good looking, well built and screams quality. If you want to safeguard your iPhone investment using the best, this is it. From the packaging all the way down to the quality manufacturing and machining of the Element Vapor case itself, you will be the coolest cat on the block sporting the Vapor Comp iPhone case. http://www.superbaccessories.com/vapor-comp-iphone-case-series-iphone-4-4s-element-cases-p515.html

    There are actually some great cases out there, but one of my new favorites is the Vapor Pro Black Ops case from Element Case. It is an iPhone casing that's so unique that the case arrives inside an additional case inside a box. The frame is machined from aircraft grade aluminum, making the Element Vapor case that is not merely really robust, but as well extraordinarily light ??? 0.6 ounces according to my digital kitchen scale. The aluminum, finished in matte black, provides great drop protection, even though adding practically no noticeable size or weight. The frame is completed with a polymer insert to avoid signal loss on account of ???death gripping??? the phone vapor pro black ops. http://www.superbaccessories.com/vapor-pro-black-ops-limited-edition-kit-element-case-p84.html

    Element vapor case gives your coveted iPhone 4 the life and protection it needs. Finished with a unique flex material, the vapor case allows you to grip your iPhone 4 without worrying about it slipping from your hands, or about it gathering fingerprints or pocket lint. The unique design makes installation and removal convenient, and the reinforced edges provide solid protection from drops. Elementcase surely offers superior protection compared to plastic cases, and does not gather fingerprints or dust like silicone cases.


    It is also worth mentioning that there are wide access ports at the bottom and top of the Vapor iPhone 4S case, which make it full well compatible with a wide range of headphones, earbuds and third party charging cables. Boasting a special, aerospace polymer section that is built over the antenna contact points to eliminate ???death-grip??? issues and improve Wi-Fi, GPS and 3G connectivity, you will find iPhone 4 Vapor case to be a pretty good bargain in the long run. http://www.superbaccessories.com/best-element-case-vapor-pro-4-iphone-4-4s-case-c56.html
    iphone4cases