It looks as though yesterday Dropbox performed a bit of a security snafu by allowing anyone to login to any account using any password they liked.

A thread detailing what happened has appeared saved on Pastebin as posted by Christopher Soghoian, a Ph.D Candidate in the School of Informatics and Computing at Indiana University. He was contacted by a friend who noticed while updating his Dropbox password that he could indeed use any password.

Finding this security issue seems to have been a complete fluke. Soghoian’s friend updated his password and then “fat-fingered an extra character” but it still logged him in. After further confirming the issue on his own account, he proceeded to test it on two of his friend’s accounts using one character passwords. They both worked and allowed him access to the accounts.

Being more than a little concerned about what he’d just achieved, Soghoian’s friend contacted Dropbox support and detailed the problem he had encountered. Sure enough he got a response from Arash Ferdowsi, Dropbox Founder and CTO. First Arash asked him to try and login again using any password. When it was confirmed he could not, Arash sent another response that may surprise anyone with a Dropbox account:

There was a very brief glitch and this should never happen/be possible again. Thanks for the email.

Based on the timestamps listed in the email thread this brief glitch was available to take advantage of from 5:10pm to 5:59pm (PDT) at the very least. It was definitely fixed by 6:06pm when Soghoian’s friend confirmed he couldn’t login with any password anymore. What we don’t know is how long it was active before this guy discovered it.

What we’d like to know is how a glitch can remove the password checking system for Dropbox? Also, how is it a user was left to notice such a “feature” had been turned on?

Luckily for Dropbox, it doesn’t seem to have caused any major issues mainly because no one noticed and the person who found it contacted Dropbox support immediately.

Originally posted at: