From XXX

To Christopher Soghoian <chris@soghoian.net>

date Sun, Jun 19, 2011 at 9:57 PM

subject Re: [Dropbox Support] Re: DB: account can be accessed with any password!

I don't have much more in the way of useful details (e.g. screen video showing it in action), though I do have one other guy who performed the same tests b/c I wanted to rule out that my local-to-my-machine dropbox software was doing it somehow or that I was nuts.

What I can tell you is that I've recently noticed from slashdot/ars that lulzsec & friends are hacking the hell out of everything and posting email/passwords online, so I thought it would be smart to generate hard & unique passwords for sites. I was worried about losing them so I put them in keypass on dropbox, despite reading the thread a while back about how dropbox staff can access my stuff - I thought that was an acceptable level of risk.

Then today I got email from mtgox.com saying they'd been hacked, and I realized that while my keypass file is encrypted, I use the same semi-throwaway password on dropbox as lots of other non-bank places. Oh boy. So I went to dropbox to change my password & the password change page looked flakey - I can't describe this in much more detail than so say that I clicked ok and nothing really seemed to happen. Did it work? Not sure, let's try the old password. Oh, it still works, so let's change it again. That appeared to work (I got a password updated message) - let's try the new password. Yup, good. Wait, I'm pretty sure I fat-fingered an extra character though -- etc. Which led to me realizing that any password at all was fine, at which point I logged into the accounts of two friends using 1-character passwords like 'q' and 'z'. Then I contacted one of those friends and had him repeat the experiment - AIM session below.

[Note from Chris: I removed this entire IM conversation]

You're welcome to post this somewhere although I'd prefer that my friend and I were anonymous.

Thanks,

XXX

On Sun, Jun 19, 2011 at 9:33 PM, Christopher Soghoian <chris@soghoian.net> wrote:

And can I post this thread online somewhere?

On Sun, Jun 19, 2011 at 9:32 PM, Christopher Soghoian <chris@soghoian.net> wrote:

Holy cow.

Do you have more details?

On Sun, Jun 19, 2011 at 9:20 PM, XXX wrote:

Hi Chris,

If you're still involved in the dropbox investigation, there was an interesting development this afternoon. I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends') using any password.

This is corroborated by the admittedly-thin dropbox tech support thread below.

So evidently they fail open when auth is busted, or sometimes they roll dev code, or....? This has me really bummed because I just "fixed" my exposure to website password theft by generating gnarly passwords with keypass and storing them on dropbox. Sigh.

- XXX

---------- Forwarded message ----------

From: Arash Ferdowsi <notifications-support@dropbox.zendesk.com>

Date: Sun, Jun 19, 2011 at 9:08 PM

Subject: [Dropbox Support] Re: DB: account can be accessed with any password!

To: XXX

## IMPORTANT ## Text below this line won't be added to the ticket

Dropbox

You can add a response to your ticket by replying to this email.

Please be sure to reply with the same email address that you used to originally contact us!

Arash Ferdowsi, Jun-19 06:08 pm (PDT):

hi XXX,

there was a very brief glitch and this should never happen/be possible again. thanks for the email.

-arash

XXX, Jun-19 06:06 pm (PDT):

Looks ok - as of now I can only log in using my password. Fake passwords

don't work.

However, I checked with two friends and we were also able to log into their

accounts using any password.

Do dropboxes fail open when the auth server is broken or something? yikes.

Arash Ferdowsi, Jun-19 05:59 pm (PDT):

hi XXX,

can you try this again and confirm only your new password works on the computer you are on? thanks

-arash

XXX, Jun-19 05:10 pm (PDT):

HI folks.

No matter what computer I use (including ones I've never logged onto before), I can log into XXX using ANY password. YIKES