A thread detailing what happened has appeared saved on Pastebin as posted by Christopher Soghoian, a Ph.D Candidate in the School of Informatics and Computing at Indiana University. He was contacted by a friend who noticed while updating his Dropbox password that he could indeed use any password.
Finding this security issue seems to have been a complete fluke. Soghoianâ€™s friend updated his password and then â€œfat-fingered an extra characterâ€ but it still logged him in. After further confirming the issue on his own account, he proceeded to test it on two of his friendâ€™s accounts using one character passwords. They both worked and allowed him access to the accounts.
Being more than a little concerned about what heâ€™d just achieved, Soghoianâ€™s friend contacted Dropbox support and detailed the problem he had encountered. Sure enough he got a response from Arash Ferdowsi, Dropbox Founder and CTO. First Arash asked him to try and login again using any password. When it was confirmed he could not, Arash sent another response that may surprise anyone with a Dropbox account:
There was a very brief glitch and this should never happen/be possible again. Thanks for the email.
Based on the timestamps listed in the email thread this brief glitch was available to take advantage of from 5:10pm to 5:59pm (PDT) at the very least. It was definitely fixed by 6:06pm when Soghoianâ€™s friend confirmed he couldnâ€™t login with any password anymore. What we donâ€™t know is how long it was active before this guy discovered it.
What weâ€™d like to know is how a glitch can remove the password checking system for Dropbox? Also, how is it a user was left to notice such a â€œfeatureâ€ had been turned on?
Luckily for Dropbox, it doesnâ€™t seem to have caused any major issues mainly because no one noticed and the person who found it contacted Dropbox support immediately.
Originally posted at: geek.com