Critical Security Alert: Dropbox Found to be Insecure -- But Dangerously So?

Last Updated Apr 17, 2011 9:42 PM EDT

Do you -- or your employees -- use Dropbox to store and share documents which might be considered business confidential? What about personal financial information? If so, you might want to rethink that plan, because one security expert has dubbed the service "insecure by design."

Derek Newton, on his blog Information Security Insights, last week exposed a serious security issue with Dropbox. The details are a bit complicated -- Newton writes about config files and SQLite databases. But the bottom line is that Dropbox stores a single file on your computer that is essentially the keys to your Dropbox kingdom. If that file is copied, such as onto a USB memory key or via e-mail, and placed on another PC, all of your Dropbox files will automatically sync on that new PC, no password or further authentication required.

A few things to point out here:
  • You, the rightful Dropbox owner, gets no notification of any kind that your files are now syncing to another PC.
  • That new PC does not show up in your "My Computers" list in your Dropbox account settings.
  • Changing your Dropbox password does not affect the new PC's access.
That's pretty scary, since someone can silently gain access to your Dropbox account and not only will you never know, but there's no easy way to revoke their access. You do currently have one way to solve the problem -- you can remove the computer from which the config file was stolen, but in order for that to work, you have to know you've had a security breach, and then you also need to know on which computer it occurred.

So, now that you're a little worried, time for the million dollar question: How serious is this threat? On one level, not terribly serious. That's because in order for your Dropbox account to be breached, someone must get physical access to your PC and copy the config file. And if someone has physical access to your PC, then Dropbox access might be the least of your problems.

That said, this can be quite worrisome, depending upon how you or your employees use Dropbox. Dropbox, for its part, has commented on the disclosure:
There are measures that can be taken to make it more difficult (though not impossible) to gain access to the authentication cookie which we'll consider in the future. That said, Dropbox isn't any less secure than other web service.
More on BNET: