
New security issue at Dropbox - davewiner
http://pastebin.com/yBKwDY6T
======
Jasber
A slight tangent...

I recently looked into password managers myself after the MtGox leak. I tried
1Password and LastPass. While both do what they say--I found them cumbersome
to use.

I settled on a scheme like this:

E-mail: Very strong, completely unique. 2-factor auth. If you have my e-mail,
it's game over.

Bank: Very strong, completely unique.

The rest of the passwords I've broken down into tiers. I've memorized a
password for each tier combined with a hashing algorithm stored in my head.

The theory here being if an entire tier gets compromised (someone figures out
my hashing scheme), at the very worst I lose the entire tier.

This does keep me safe from automated attacks, but not if someone singled me
out individually. Which in that case, I've got other problems.

This isn't perfect, but it gives me a couple of things I really value:

\- Keep all passwords in my head

\- Unique passwords on each site

\- Tiered passwords so if someone figures out my hashing scheme, they only get
that tier

I like the idea of password managers, but in practice they were too much
hassle for me.

~~~
illumin8
The MtGox breach inspired me to switch to LastPass. I used to do what you did,
and MtGox was part of my "medium security" tier.

Now, I've decided that there is no real effective solution other than randomly
generated passwords unique to each site.

I also turned on 2-factor auth for Gmail a couple months ago - their SMS
system is really effective.

I do have to credit Google for being extremely awesome when it comes to
security... They noticed a few "your password has been changed" emails
incoming to my inbox yesterday and immediately put a security flag on my
account, requiring me to re-auth with 2-factor and change my password. Google
is really proactive when it comes to security. The fact that they can
recognize a high number of password change emails arriving as an indicator of
possibly account hijacking is just amazing.

I think LastPass is probably as good of a solution as any. They only store
your encrypted password database in the cloud. With a strong enough master
password and optional 2-factor authentication with Yubikey, it seems quite
secure.

~~~
TheEskimo
My reason for not using LastPass is because it is proprietary. In fact, there
has been an XSS attack on them in the past which was somewhat successful. I
use KeePassX because it allows me to avoid laying trust on any proprietary
entity. At present if LastPass were to have another security flaw (and hey,
security flaws on web-facing servers are all too common) you'd be out of luck.
With KeePassX security is local. The worst case for me is someone stealing my
database and trying to bruteforce the password (hah, like that'll happen).
This requires them to have physical access to my computer. Anyone can take a
guess at your password because it's a web based service.

~~~
illumin8
KeePassX is still vulnerable to a keylogger on your local machine.

LastPass with 2-factor auth should be more secure than KeePassX, however, your
point about it being proprietary is well taken.

I also think LastPass has a very good reputation for full disclosure - when
the salted hashes of master passwords were compromised in 2010 it was very
refreshing to see the CEO come forward and give immediate full disclosure to
the public about the implications, and why you should change your master
password.

I also find it refreshing that if you have a strong master password, even
someone compromising their entire database should not give you reason to worry
- it would be similar to someone getting a copy of your KeePassX database -
it's still encrypted with high-grade encryption.

------
peterwwillis
It's 2011. Why are people still surprised when some blatant hole is found in a
site? Does everyone just delude themselves into thinking "oh, they HAVE to be
secure"? That old cliche 'nothing is totally secure' is almost right: the
reality is, everything is mostly-not secure.

Tips on never getting caught with your pants down by a 3rd party service:

1\. Never ever rely on a service maintained by a 3rd party to remain secure.
Just assume they will be compromised in the near future (including your
password).

2\. Make your password strong but don't reuse it; save it in your browser
password cache or keyring. Use a memorized really-freaking-difficult master
password for the browser cache/keyring.

3\. Use NoScript and updated browsers to help prevent XSS and other simple
attacks from compromising your cached cookies.

4\. Encrypt all sensitive stored information yourself using a well-vetted tool
such as gpg, openssl, etc and store the encrypted files on the 3rd party
service.

5\. Keep hard copies of your secure files, keys, etc in a secure location.
'The Cloud' is not a backup, it's a trap.

~~~
pavel_lishin
> That old cliche 'nothing is totally secure' is almost right: the reality is,
> everything is mostly-not secure.

A security hole is one thing, but something like being able to log into
anyone's account with whatever you'd like as the password? Or changing a digit
in a URL and accessing someone else's account? Come on, that's like the guards
at Fort Knox leaving all of the doors open directly to the gold, or the Secret
Service collectively going out for a smoke break during a presidential parade.

~~~
peterwwillis
If you're relying on a cloud-hosted startup to secure gold or the president,
you're doing it very, very, very wrong.

The level of complexity of an attack and the ridiculousness of a hole are
almost completely arbitrary in terms of compromising the security of a
service. The biggest attacks of the past 6 months were performed either using
social engineered credentials or extremely common web application
vulnerabilities (so common that probably every hole used is on OWASP's Top 10
security holes).

The only reason Fort Knox or the Secret Service works is because it relies on
humans spending 100% of their time actively focusing on security, 24 hours a
day, every day. No web service I have ever heard of has that level of
security.

As far as this particular hole: it's probably a bug somebody left in some code
by accident and nobody foresaw the consequences. There are bugs like this in
every system. The only reason you don't see more of these holes is because
either nobody's looking for them or somebody found it and is keeping it very
secret.

------
eli
" _there was a very brief glitch and this should never happen/be possible
again. thanks for the email._ "

Yikes

------
mike-cardwell
Dropbox _owes_ their customers a public explanation.

~~~
crocowhile
Yes, I agree. But until I don't hear a confirmation from Dropbox I am going
and assume that all this never really happened and it's just a prank. It seems
too big and too weird to be true. edit: This is the guy who reported the
"glitch" <https://twitter.com/#!/csoghoian> seems legit. I am shocked.

~~~
gobongo
"But until I don't hear a confirmation from Dropbox I am going and assume that
all this never really happened and it's just a prank."

Various big-name dropbox people are likely aware of this thread now based on
their quick responses to previous threads here at HN. The fact that they've
said nothing here is virtually an admission that there was a problem. It only
takes a few seconds to bang out a 'this claim has no merit' post if it indeed
does have no merit.

The question is, are they working on some sort of official statement to make
(which would have to be exactly worded and thus I can understand the lag time)
or are they ducking down and hoping this will just blow over?

IMO they absolutely need to address this very soon, and not just as a one line
email that promises it'll never happen again.

~~~
crocowhile
Yes, I agree with all you write now. It just seemed such a weird issue though.
Hard to imagine how something like this can happen accidentally.

------
brk
People have been slamming Dropbox quite a bit, and it's not all entirely
unwarranted.

I think that part of this is how Dropbox is handling things, and the fact they
appear to be growing faster than they can code.

I'd love to see them offer something like a free lifetime 50GB account for
anyone the submits a high security reproducible bug like this. Sure, they may
end up giving out a couple of terabytes of free space, but the intense QA they
would get for free would likely be worthwhile.

------
trebor
Well, this definitely cinches it. I had stuck with Dropbox thru the whole
"your files aren't THAT encrypted" debacle because I have nothing worth
hiding. But, this complete incompetence has convinced me that it isn't worth
the risk!

I'm not as highly paid as the Dropbox guys are, I'm sure, but even _I_ know to
test authentication with automated tests. Oh, and not to let things that fail
tests through to production!

What if I had archived my bank records there and someone go ahold of them?
Thankfully I'm still just a little too paranoid for that.

I'm moving to Wuala or rsync.net; before I try the latter I want to test
Wuala.

~~~
pavel_lishin
> I have nothing worth hiding.

Mind putting up a mirror of your Dropbox folder?

~~~
trebor
Heh, that'd take maybe 60 seconds. I've only got a few articles that I've
saved, a few screen shots, and one tiny demo project.

As I said, it wasn't worth worrying about.

------
mike-cardwell
<https://www.dropbox.com/help/27>

"Your files are backed-up, stored securely, and password-protected."

Except, apparently, you don't even need to know the password to get access to
the unencrypted files.

I wish somebody would clone exactly what Dropbox does, but get the
encryption/security right so that it is _impossible_ for anyone other than the
account owner to access their files. Dropbox will _never_ get security right.

~~~
yuvadam
_Dropbox will never get security right_

I fail to see how you conclude that. Yes, they did have several glitches in
the past, and no, they did not always respond as they should have.

But there are some pretty smart people working at Dropbox. What makes you
think they do not have the capacity to solve security issues?

~~~
mike-cardwell
They should have made it so files can only be encrypted/decrypted client side.
They sacrificed this security so that they could do two extra things.

    
    
      1.) De-duplication
      2.) Web access to the files.
    

They also sacrificed the security of the mobile clients by disabling SSL, in
exchange for a small speed increase.

Those are the main reasons I have come to this conclusion.

~~~
arethuza
From what I can see the mobile clients _do_ use SSL:

<http://forums.dropbox.com/topic.php?id=24507>

~~~
bxr
They do _now_.

Here is a forum post where they admit that mobile SSL was impossible.

<http://forums.dropbox.com/topic.php?id=10669>

~~~
arethuza
That is pretty bad! :-(

------
presidentender
For the record, Arash isn't some random support guy, he's the CTO.

That means the support team properly escalated this way up the food chain very
quickly, and I'd be extremely surprised if we didn't see a response from
Dropbox later today.

------
crocowhile
Other people noticed this on the dropbox forum:
<http://forums.dropbox.com/topic.php?id=40113>

------
georgemcbay
There's a blog post addressing this incident now on the dropbox blog:

<http://blog.dropbox.com/?p=821>

It is very light on details of how exactly the problem occured other than
saying it was due to a bug in a code update.

~~~
jevinskie
They say that less than 1% of all of their users logged in during the
vulnerable time frame. I suspect those are weasel words to downgrade the
apparent severity of the problem. A more useful metric would be # user logins
during vulnerable timeframe / # user logins per day.

------
lordlarm
This is the sort of thing where the submitter (at pastebin in this case)
should be absolutly sure that the bug is fixed from Dropbox' side before
telling the hole world about it.

This way everyone is happy, and not to mention safe.

I'm so tired of seeing all these username/password leaks lately. It is not
doing anyone anything good, except from teenagers and thieves which thinks it
is funny to empty Amazon accounts or upload nude pictures on Facebook (etc.
etc.)

So, in all fairness, the submitter did actually contact Dropbox first (which
is great), but please wait until they definitely have fixed before telling the
world about it. Or at least, that is my humble opinion.

~~~
owenmarshall
The poster _did_ contact Dropbox and was told, essentially, "it's a glitch,
don't worry about it."

The poster was not told any details about "the glitch" -- we don't know if it
was a one-time issue, or if it represents a deeper architectural issue. In
this case, full disclosure is _absolutely_ warranted.

Applying the most optimistic reading, Dropbox fixed the problem, so disclosure
is fine. The most pessimistic would say that the problem still exists, and
that disclosure will cause exposure, but will also prompt further scrutiny to
the issue.

------
davewiner
I haven't tried to reproduce this yet, but if it's true, it's quite serious.

~~~
michael_dorfman
I just tried, and failed to reproduce.

So, at the moment, there's nothing to see here.

~~~
quinndupont
Still. MY god this is worrisome.

------
jontas
I cannot reproduce.

~~~
ch0wn
Read the complete correspondence. It was fixed.

~~~
sorbus
Or was never an issue in the first place.

------
ltamake
Doesn't work.

------
bxr
Last time the Dropbox security thing was in the news, regardless of your
personal preference on what encryption keys dropbox should have been using,
the issue and more importantly the way they handled it made me question their
abilities. Then they sent a DMCA takedown notification notification to someone
they were just trying to censor, and now they temporarily set their auth
method to "allow any password".

They are showing us that they are technologically incompetent at managing
their own systems. I don't know why anyone continues to do buisness with them
for files they want any sort of privacy over.

I've moved to rsync.net. Its uglier, but at least they know what the fuck
they're doing.

~~~
mcrittenden
> I've moved to rsync.net. Its uglier, but at least they know what the fuck
> they're doing.

How do you know? Could it just be that the only reason Dropbox has publicized
exploits and rsync.net doesn't is because Dropbox has many, many more users?
And thus more people trying to exploit it and more publicity when an exploit
is found?

~~~
bxr
>How do you know?

Pubkey auth connecting to openssh on freebsd to hippa- pci- sox- and sas 70-
compliant storage with a warrant canary and you can give them a call to talk
to the engineers (I have). Looking back dropbox feels like a fly by night in
comparison.

