Web-based file hosting service Dropbox has been facing a glitch in its login system for the last few hours that is allowing anyone to sign into the account with any random password or by typing even any single letter.
The security issue was figured out by researcher Christopher Soghoian on Monday when his friend updated his password and then entered an extra character but it still logged in.
Dropbox said the problem was caused by a code update that introduced a bug affecting the authentication mechanism, which left the system vulnerable.
Arash Ferdowsi posted on the Dropbox blog, “during that period, a very small number of users (much less than 1 percent) logged in, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.”
Security experts have warned that this kind of error could pose a problem to business users who use the service to sync and share documents.
“Organisations need to have policies in place to authorise, prevent and/or audit the use of services such as Drop Box,” said Tenable’s CEO, Ron Gula.
“If the file shared via Drop Box was encrypted, Drop Box security may not be an issue. However if the file shared via Drop Box was an employee or customer spread sheet, then any security issue with Drop Box could result in the disclosure of this sensitive information,” he said.