For four hours on 6/20/2011, anyone could access any Dropbox account contents knowing only the account's email address. The fix only took five minutes, but only after someone (not associated with Dropbox) noticed he got into his own Dropbox account even though he knowingly mistyped his password. Then he accessed someone else's account without entering any password.
Luckily he emailed Dropbox and let them know they were wide open. Otherwise, it could have been much longer before the problem was discovered.
Dropbox never made any general announcement, and never alerted their users via email. Most folks are discovering the problem through third-party blogs and by word of mouth.
Not sure this will deal a deathblow to Dropbox and other cloud providers. I know we really shouldn't be uploading sensitive content to cloud providers, but that isn't the problem as far as I'm concerned. It shouldn't matter if I'm uploading my personal tax records, my personal diaries, or, hell, even nudie picks with farm animals. Private stuff should be just that, private.
Comments