Criticism of Dropbox

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Criticism of Dropbox centers around various forms of security and privacy controversies surrounding Dropbox, an American company specializing in cloud storage and file synchronization. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords, a July 2011 Privacy Policy update with language suggesting Dropbox had ownership of users' data, concerns about Dropbox employee access to users' information, July 2012 email spam with reoccurrence in February 2013, leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program, a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption, the leak of 68 million account passwords on the Internet in August 2016, and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

April 2011 user authentication file information[edit]

Dropbox has been criticized by the independent security researcher Derek Newton, who wrote in April 2011 that Dropbox stored user authentication information in a file on the computer that was "completely portable and is *not* tied to the system in any way". In explaining the issue, Newton wrote: "This means that if you gain access to a person's config.db file (or just the host_id), you gain complete access to the person's Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface." He updated his post in October 2011 to write that "Dropbox has release version 1.2.48 that utilizes an encrypted local database and reportedly puts in place security enhancements to prevent theft of the machine credentials."[1] A report from The Next Web featured a comment from Dropbox, in which they disagreed with Newton that the topic was a security flaw, explaining that "The researcher is claiming that an attacker would be able to gain access to a user's Dropbox account if they are able to get physical access to the user's computer. In reality, at the point an attacker has physical access to a computer, the security battle is already lost. [...] this 'flaw' exists with any service that uses cookies for authentication (practically every web service)."[2]

May 2011 data deduplication and employee access[edit]

In May 2011, a complaint was filed with the U.S. Federal Trade Commission alleging Dropbox misled users about the privacy and security of their files. At the heart of the complaint was the policy of data deduplication, where the system checks if a file has been uploaded before by any other user, and links to the existing copy if so; and the policy of using a single AES-256 key for every file on the system so Dropbox can (and does, for deduplication) look at encrypted files stored on the system, with the consequence that any intruder who gets the key (as well as potential Dropbox employees) could decrypt any file if they had access to Dropbox's backend storage infrastructure.[3] In a response on its blog, Dropbox wrote that "Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that's the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access."[4] In response to the FTC complaint, Dropbox spokeswoman Julie Supan told InformationWeek that "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21."[3]

June 2011 account access without password[edit]

On June 20, 2011, TechCrunch reported that all Dropbox accounts could be accessed without password for four hours.[5] In a blog post, co-founder Arash Ferdowsi wrote that "Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions." He wrote that a "thorough investigation" was being conducted, and that "This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."[6] Julianne Pepitone, writing for CNNMoney, wrote that "It's the security nightmare scenario: A website stuffed with sensitive documents leaves all of its customer data unprotected and exposed", and featured a comment from Dave Aitel, president and CEO of security firm Immunity Inc., saying "Any trust in the cloud is too much trust in the cloud -- it's as simple as that. [...] It's pretty much the standard among security professionals that you should put on the cloud only what you would be willing to give away."[7]

July 2011 Privacy Policy update[edit]

In July 2011, Dropbox updated its Terms of Service, Privacy Policy, and Security Overview agreements. The new Privacy Policy sparked criticism, as noted by Christopher White in a Neowin post, in which he wrote that "They attempted to reduce some of the tedious legalese in order to make it easier for normal people to understand. It appears that they have succeeded in that mission and in the process have taken ownership of every file that uses their service". Citing a paragraph in the updated Privacy Policy that Dropbox needed user permission to "use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display" user's data, White wrote that "This broad terminology is frightening for end users because it clearly lets Dropbox take a person’s work, whether it is photographs, works of fiction, or scientific research, and gives the company the right to do whatever they want with no recourse from the original owner". After users expressed concerns about the change, Dropbox once again updated its policy, adding "This license is solely to enable us to technically administer, display, and operate the Services." White concluded by writing that "While this is a step in the right direction, it still makes no sense as to why a product that is used to move files from one computer to another needs the ability to "prepare derivative works of" anyone's files."[8][9]

July 2012 email spam and February 2013 reoccurrence[edit]

In July 2012, Dropbox hired "outside experts" to figure out why some users were receiving e-mail spam from Dropbox.[10] In a post on its blog, Dropbox employee Aditya Agarwal wrote that "usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts." However, Agarwal also noted that "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." One of the additional controls implemented was the introduction of two-factor authentication.[11][12] In February 2013, users reported additional spam, with the company stating that "At this time, we have not seen anything to suggest this is a new issue", and blamed the earlier e-mail spam issue from the past July.[13]

June 2013 PRISM program[edit]

In June 2013, The Guardian and The Washington Post publicized confidential documents suggesting Dropbox was being considered for inclusion in the National Security Agency's classified PRISM program of Internet surveillance.[14][15]

January 2014 outage[edit]

On January 11, 2014, Dropbox experienced an outage. A hacker group called The 1775 Sec posted on Twitter that it had compromised Dropbox's site "in honor of Internet activist and computer programmer Aaron Swartz, who committed suicide a year ago". However, Dropbox itself posted on Twitter that "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!"[16][17][18] In a blog post detailing the issue, Dropbox's Akhil Gupta wrote that "On Friday at 5:30 PM PT, we had a planned maintenance scheduled to upgrade the OS on some of our machines. During this process, the upgrade script checks to make sure there is no active data on the machine before installing the new OS. A subtle bug in the script caused the command to reinstall a small number of active machines. Unfortunately, some master-replica pairs were impacted which resulted in the site going down." Gupta also noted that "Your files were never at risk during the outage".[19]

April 2014 Condoleezza Rice appointment to board of directors[edit]

In April 2014, Dropbox announced that Condoleezza Rice would be joining their board of directors,[20] prompting criticism from some users who were concerned about her appointment due to her history as United States Secretary of State and revelations of "widespread wiretapping on US citizens during her time in office".[21] RiceHadleyGates, a consultancy firm consisting of Rice, former US national security adviser Stephen Hadley, and former US Secretary of Defense Robert Gates, had previously advised Dropbox.[22]

May 2014 disabled shared links[edit]

In May 2014, Dropbox temporarily disabled shared links. In a blog post, the company detailed a web vulnerability scenario where sharing documents containing hyperlinks would cause the original shared Dropbox link to become accessible to the website owner if a user clicked on the hyperlink found in the document. Some types of shared links remained disabled over the next few weeks until Dropbox eventually made changes to the functionality.[23][24]

July 2014 Snowden comment[edit]

In a July 2014 interview, former NSA contractor Edward Snowden called Dropbox "hostile to privacy" because its encryption model enables the company to surrender user data to government agencies, and recommended using the competing service SpiderOak instead. In response, a Dropbox spokeswoman stated that "Safeguarding our users' information is a top priority at Dropbox. We've made a commitment in our privacy policy to resist broad government requests, and are fighting to change laws so that fundamental privacy protections are in place for users around the world".[25]

October 2014 account compromise hoax[edit]

In October 2014, an anonymous user on Pastebin claimed to have compromised "almost seven million" Dropbox usernames and passwords, gradually posting the info. However, in a blog post, Dropbox stated "Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. [...] A subsequent list of usernames and passwords has been posted online. We've checked and these are not associated with Dropbox accounts."[26][27][28]

August 2016 password leak[edit]

In August 2016, email addresses and passwords for 68 million Dropbox accounts were published online, with the information originating from the 2012 email spam issue.[29][30][31] Independent security researcher Troy Hunt checked the database against his data leak website, and verified the data by discovering that both the accounts belonging to him and his wife had been disclosed. Hunt commented that "There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing".[32] In a blog post, Dropbox stated: "The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on." The company outlined details that the information was "likely obtained in 2012", with the company first hearing about the list two weeks earlier, at which time they immediately started an investigation. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts."[33]

January 2017 accidental data restoration[edit]

In January 2017, Dropbox restored years-old supposedly deleted files and folders in user accounts. In one example, a user reported that folders from 2011 and 2012 returned. In explaining the issue, a Dropbox employee wrote on its forum that "A bug was preventing some files and folders from being fully deleted off our servers, even after users had deleted them from their Dropbox accounts. While fixing the bug, we inadvertently restored the impacted files and folders to those users' accounts. This was our mistake; it wasn't due to a third party and you weren't hacked. Typically, we permanently remove files and folders from our servers within 60 days of a user deleting them. However, the deleted files and folders impacted by this bug had metadata inconsistencies. So we quarantined and excluded them from the permanent deletion process until the metadata could be fixed".[34][35]

References[edit]

  1. ^ Newton, Derek (April 7, 2011). "Dropbox authentication: insecure by design". Derek Newton. Retrieved February 17, 2017.
  2. ^ Brian, Matt (April 8, 2011). "Dropbox security hole could let others access your files [Updated]". The Next Web. Retrieved February 17, 2017.
  3. ^ a b Schwartz, Mathew (May 16, 2011). "Dropbox Accused Of Misleading Customers On Security". InformationWeek. UBM plc. Archived from the original on October 20, 2012. Retrieved February 17, 2017. Cite uses deprecated parameter |deadurl= (help)
  4. ^ Houston, Drew; Ferdowsi, Arash (April 21, 2011). "Privacy, Security & Your Dropbox (Updated)". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  5. ^ Kincaid, Jason (June 20, 2011). "Dropbox Security Bug Made Passwords Optional For Four Hours". TechCrunch. AOL. Retrieved February 17, 2017.
  6. ^ Ferdowsi, Arash (June 20, 2011). "Yesterday's Authentication Bug". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  7. ^ Pepitone, Julianne (June 22, 2011). "Dropbox's password nightmare highlights cloud risks". CNNMoney. Time Warner. Retrieved February 17, 2017.
  8. ^ White, Christopher (July 2, 2011). "Dropbox can legally sell all of your files [Update]". Neowin. Retrieved February 17, 2017.
  9. ^ Houston, Drew; Ferdowsi, Arash (July 1, 2011). "Changes to our policies (updated)". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  10. ^ Brodkin, Jon (July 18, 2012). "Dropbox hires "outside experts" to investigate possible e-mail breach". Ars Technica. Condé Nast. Retrieved February 17, 2017.
  11. ^ Agarwal, Aditya (July 31, 2012). "Security update and new features". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  12. ^ Brodkin, Jon (August 1, 2012). "Dropbox confirms it got hacked, will offer two-factor authentication". Ars Technica. Condé Nast. Retrieved February 17, 2017.
  13. ^ Robertson, Adi (February 28, 2013). "Dropbox users claim email addresses leaked to spammers, company blames 2012 security breach". The Verge. Vox Media. Retrieved February 17, 2017.
  14. ^ Greenwald, Glenn; MacAskill, Ewen (June 7, 2013). "NSA Prism program taps in to user data of Apple, Google and others". The Guardian. Guardian Media Group. Retrieved February 17, 2017.
  15. ^ Gellman, Barton; Poitras, Laura (June 7, 2013). "U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program". The Washington Post. Retrieved February 17, 2013.
  16. ^ "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!". Twitter. January 11, 2014. Retrieved February 17, 2017.
  17. ^ Swartz, Jon (January 11, 2014). "Dropbox says outage arose from routine maintenance". USA Today. Gannett Company. Retrieved February 17, 2017.
  18. ^ "Dropbox hit by outage on Friday, denies that it was hacked". PC World. International Data Group. January 10, 2014. Retrieved February 17, 2017.
  19. ^ Gupta, Akhil (January 12, 2014). "Outage post-mortem". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  20. ^ Houston, Drew (April 9, 2014). "Growing our leadership team". Dropbox Blog. Dropbox. Retrieved February 8, 2017.
  21. ^ "Controversy flares as Condoleezza Rice joins Dropbox board". BBC News. April 11, 2014. Retrieved February 8, 2017.
  22. ^ Stone, Brad; Levy, Ari (April 11, 2014). "Dropbox's Next Chapter: Corporate Customers, IPO, Condi Rice, and Eddie Vedder". Bloomberg L.P. Retrieved February 8, 2017.
  23. ^ Agarwal, Aditya (May 5, 2014). "Web vulnerability affecting shared links". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  24. ^ Lee, Dave (May 6, 2014). "Warning over unintentional file leak from storage sites". BBC News. Retrieved February 17, 2017.
  25. ^ Yadron, Danny; MacMillan, Douglas (July 17, 2014). "Snowden Says Drop Dropbox, Use SpiderOak". The Wall Street Journal. News Corp. Retrieved February 17, 2017. (subscription required)
  26. ^ Mityagin, Anton (October 13, 2014). "Dropbox wasn't hacked". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  27. ^ Lomas, Natasha (October 14, 2014). "Dropbox Confirms Compromised Account Details But Says Its Servers Weren't Hacked". TechCrunch. AOL. Retrieved February 17, 2017.
  28. ^ Lewis, Dave (October 14, 2014). "Was Dropbox Hacked? Not So Fast". Forbes. Retrieved February 17, 2017.
  29. ^ Mendelsohn, Tom (August 31, 2016). "Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts". Ars Technica. Condé Nast. Retrieved February 17, 2017.
  30. ^ Brandom, Russell (August 31, 2016). "Dropbox's 2012 breach was worse than the company first announced". The Verge. Vox Media. Retrieved February 17, 2017.
  31. ^ McGoogan, Cara (August 31, 2016). "Dropbox hackers stole 68 million passwords - check if you're affected and how to protect yourself". The Daily Telegraph. Telegraph Media Group. Retrieved February 17, 2017.
  32. ^ Gibbs, Samuel (August 31, 2016). "Dropbox hack leads to leaking of 68m user passwords on the internet". The Guardian. Guardian Media Group. Retrieved February 17, 2017.
  33. ^ Heim, Patrick (August 25, 2016). "Resetting passwords to keep your files safe". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
  34. ^ Tung, Liam (January 25, 2017). "Dropbox bug kept users' deleted files on its servers for six years". ZDNet. CBS Interactive. Retrieved February 18, 2017.
  35. ^ Hackett, Robert (January 25, 2017). "Dropbox Didn't Actually Delete Your 'Deleted' Files". Fortune. Time Inc. Retrieved February 18, 2017.