More
Too Good to be True: Dropbox’s Little Security Problem

Too Good to be True: Dropbox’s Little Security Problem

July 31, 2013 Written by: Brian Focht 3 comments
75 Flares 75 Flares ×

dropboxYeah, I have to admit that I love Dropbox. It may be the second most useful app I have on my iPad (the most useful, is iAnnotate, which I’ll discuss at another time). It’s freaking great! Files transfer seamlessly (or as seamlessly as your internet connection allows). I can make changes on my computer at home, upload those changes to Dropbox, make additional changes on my iPad, then use Dropbox to transfer that version to my work computer. What’s not to love?

Oh, right. Dropbox is, apparently, a gigantic, gaping hole in your company’s firewall and information security system.

We all know that companies ban employees from using certain websites while at work. It’s not always helpful for business productivity for employees to always be on Facebook during the day, and while there would probably be a second revolution, it wouldn’t be hard to understand why companies would want to block sports or betting sites during the NCAA Men’s Basketball Tournament.

Companies are wising up to the use of apps too, a problem that is becoming more prevalent in the growing world of “BYOD.” (Bring Your Own Device) A list of the Top 10 Most Banned Apps (for iOS and Android) was published earlier this month, and it contained plenty of the usual suspects: Angry Birds had a place on both lists, as did Facebook and Netflix. However, I was quite surprised to find Dropbox on both lists. Ok, actually, let me modify that: I was quite surprised to find Dropbox WAS THE #1 MOST BANNED APP ON BOTH LISTS.

I figured, well, banning Dropbox circumvents the ability of people to bring personal stuff into the office, and also probably prevents too many people from bringing office stuff home without being monitored. Preventing employee theft seems like a good idea to me, so I continued reading. Turns out preventing employees from using Dropbox was only a small part of the story. The rest? We’ll call it “Dropbox’s Little Security Problem.”

What is Dropbox’s Little Security Problem, you ask? Check this out:

Jacob Williams is what’s known as a Pen Tester (he is hired by companies to test their internet security… basically a 2013 version of Robert Redford’s character in Sneakers). He was hired by a company to test its security by attempting to hack into their system. He was COMPLETELY stymied. They had him blocked out entirely…

Until he found out that a company VP had Dropbox on his home computer. Using a small program, he infiltrated the company’s ENTIRE SYSTEM within days. This formerly impregnable, hacker-proof system, was undone simply because the VP used Dropbox at home. (In case you’re wondering, the worst thing about Dropbox is what you love about it most: the synchronization feature – synchronization opens up all systems involved to easy access from malware and other bad stuff.) Also, if you’re a nerd like me, you’ll enjoy the part of the article that describes how he did it. Soooo… it turns out that Dropbox’s Little Security Problem may not be so little after all.

Although Dropbox has attempted to make some improvements, they cannot fix the glaring weakness without taking away what users love the most about it. They do offer a more secure version at the highest level, but the reality for any business attempting to maintain data security is that Dropbox on any computer connected to the network, regardless for what it’s used and by whom, is likely a threat to your data security.

I don’t care what none of y’all say, I still love her.

For those not scared away, check out reviews of Dropbox and other Data Storage services here.

  • Matthew V. Silva

    Nice article. I also like the whole blog! Good to see you are doing well.

  • http://www.mypctsolutions.com Chris Kirby

    There is a fix – a company called FileSafely provides an add on application for Dropbox that adds additional encryption to the files, creates a “safe” folder that you control, allows access control, provides tracking capabilities, etc.

    I’m not affiliated with them in any way but I love their product.

    http://www.filesafely.com

  • Pingback: More Security Problems for Dropbox? - The Cyber Advocate()

  • Constance Louise Brigman

    Dropbox for Business folders are shared using an email address for the “team” user and a password that the Dropbox administrator can set but the user can re-set without any prior permission from the Dropbox administrator.

    For example, if I install a Dropbox folder on an office computer so I can share a selected folder in the dropbox with the user of an office computer, then I add a “team” user by sending him/her an invitation to that user’s email. I can go to great length’s to set a private password for that user, but the user merely needs to click on “forgot my password” and Dropbox allows the user to re-set the password. The Dropbox admin does not receive a copy of that password, but he/she can re-set it. Of course the employee can then hit forgot my password again and the whole thing starts over.

    The users of shared are folders are like mini administrators. Each user of a shared folder has read-write privileges and may set passwords and install shared folders on devices and open them on browsers anywhere at will.

    Holy cow. What a nightmare. Sure you can fire the employee-user but the data has already left the building at that point.

75 Flares Twitter 21 Facebook 0 LinkedIn 43 Google+ 4 Buffer 7 Pin It Share 0 75 Flares ×