Phone: 877-352-4577
Email: info@ksp.ca
KSP Technology - Regina, SK
  • About
    • Our Senior Team
    • Careers
    • Community Involvement
    • Adopt A Non-Profit
  • Clients
  • Services
    • Managed Desktop
    • Phone Systems
    • Outsourced IT
  • Blog
  • Contact Us
  • Client Portal
  • Menu
  • Twitter
  • Facebook
  • Linkedin

Dropbox caught with its finger in the cloud cookie jar

July 21, 2011/1 Comment/in Information, News /by

Last month I wrote about a small security problem with ultra-popular cloud file storage and sharing service Dropbox. Because of a bit of lazy programming by the Dropbox devs, copying a file from one computer to another eliminates the necessity to log on to Dropbox with your password on the second computer. It isn’t a huge security hole because a potential cracker has to be able to get onto your computer in order to grab the file.

This is a completely different problem — a much bigger problem.

Sharp-eyed doctoral candidate Christopher Soghoian caught Dropbox in a bit of, uh, let’s call it an inconsistency. Here’s what he found.

When you set up a Dropbox account, you establish a folder on your PC that’s shared and synced with similar folders on other PCs, Macs, iPads, mobile devices, whatever. You brand the folder and its contents with an email address and a password. To get into the folder — online on the Dropbox website, or on another computer, pad, or smartphone — you have to provide the correct email address and password.

When I wrote the original article — indeed, when I started using Dropbox — I assumed that I was the only person with the password for my folder. Wrong.

Soghoian found an anomaly. Even though Dropbox claimed, “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” Yet the company also claimed, “If we detect that a file you’re trying to upload has already been uploaded to Dropbox, we don’t make you upload it again. Similarly, if you make a change to a file that’s already on Dropbox, you’ll only have to upload the pieces of the file that changed.”

How, Soghoian asked, could Dropbox find duplicate files — or detect which pieces of a file had changed — if it didn’t have access to the contents of those files? Dropbox responded with a resounding thud.

On April 12, the Dropbox help site said:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)… All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.

Soghoian published his findings on April 12. Starting on or before April 14, Dropbox changed that help page, and changed it again on April 23, so it now says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata… we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances… All files stored on Dropbox servers are encrypted (AES-256)

A little different, eh?

Dropbox followed up on April 21, discussing employee access to encrypted data, and explaining changes to its Terms of Service Agreement, including this new TOS provision:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights.

Yes, you read that correctly. Dropbox now asserts that it can decrypt and pass your data on to a third party if Dropfox feels it needs to do so, in order to protect its property rights.

As a result, Soghoian has filed a 16-page complaint with the U.S. Federal Trade Commission, which asks the FTC to have Dropbox admit that it can get at Dropbox data, making your data vulnerable to an attack on Dropbox’s servers; require Dropbox to email its 25 million customers to warn them of the potential problem and suggest that customers encrypt their data independently; force Dropbox to refund money to people who paid for “Pro” service, if they felt they were deceived; and enjoin Dropbox from making future deceptive statements.

This article, “Dropbox caught with its finger in the cloud cookie jar,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Google+
  • Share on Pinterest
  • Share on Linkedin
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
1 reply
  1. Amber Achim
    Amber Achim says:
    July 21, 2011 at 7:37 pm

    So now what??? Is there another similar service you would recommend?

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to Amber Achim Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • AirPod Review!
  • Sask Businesses Beware!! Is Your Data Protected?
  • What’s The Most Expensive App You’ve Ever Downloaded?
  • Smartphone Data Security: What Your Apps Aren’t Telling You
  • How Fast is Your Website? Google knows…

Recent Comments

  • jogendar bandaru on Macbook Install Windows 7 with Boot Camp without an External DVD Drive
  • Greg Reid on Testing: Week One with The Microsoft Surface Pro 3
  • delete badoo account on Testing: Week One with The Microsoft Surface Pro 3
  • Drew Reiss on Sasktel Mifi Review
  • ryan K on Macbook – Install Windows 7 with Boot Camp without an External DVD Drive

Archives

  • April 2017
  • December 2016
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • September 2013
  • August 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • September 2010

Categories

  • Customer Stories
  • Gadgets
  • How-To
  • Information
  • Kevin's Blog
  • News
  • Online Security
  • Reviews
  • Rumors
  • Tips
  • Uncategorized

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Get In Touch

KSP Technology
101-2825 Saskatchewan Drive
Regina, SK S4T 1H3
p. 306.352.4577
tf. 877.352.4577
f. 306.352.4579
e. info@ksp.ca

Latest Thoughts

  • AirPod Review!April 6, 2017 - 9:43 pm
  • Sask Businesses Beware!! Is Your Data Protected?December 9, 2016 - 9:54 pm
  • Most expensive App ever downloadedWhat’s The Most Expensive App You’ve Ever Downloaded?August 12, 2015 - 6:48 pm
© Copyright - KSP Technology | Website by Strategy Lab | Privacy Notice
  • About
  • Clients
  • Services
  • Blog
  • Contact Us
  • Client Portal
RIM to discontinue Wi-Fi BlackBerry PlayBook? RIM’s first QNX phone revealed: BlackBerry Colt to launch in Q1 2012
Scroll to top