Rechercher dans ce blog

Wednesday, August 19, 2020

A Typo Could Send All Your Sensitive Dropbox Files To A Stranger - Forbes

send.indah.link

A security expert has warned Dropbox customers to be wary of using a new feature that promises to secure your most sensitive files, after it emerged that a simple typo could result in them being sent to a stranger.

Dropbox recently introduced a new service for paid-for subscribers called Dropbox Vault, a PIN-protected area of your Dropbox storage that provides an “additional layer of security for your most sensitive files”.

Dropbox Vault is - according to the company - the perfect place to store highly sensitive documents that you wouldn’t want falling into the wrong hands. Dropbox’s support pages suggest that it would be the ideal place to store documents such as scans of your passport, driver’s license, birth certificates, medical records, legal documents and tax records.

Recommended For You

Aside from the security measures already implemented on your account, users must also enter a six-digit PIN code to upload and access items in their Dropbox Vault, providing the “additional layer of security” that Dropbox promises in its marketing.

However, if you decide to enact a feature that allows trusted contacts to download copies of documents in your Vault, a basic typo could result in these sensitive documents being sent to a stranger.

Trusted contact weaknesses

Dropbox provides a facility to give family members or close confidants access to your Vault, by making them a trusted contact. When someone becomes a trusted contact, they have the option to download all the files in your Vault, which arrive in a ZIP file.

However, the form that Dropbox provides to add trusted contacts only asks for the email address to be entered once. Should you mistype that email address, then a stranger would potentially be given instant access to your files. Dropbox doesn’t make you confirm the address twice to check for typos. Trusted account access can be revoked, but this assumes you’ve spotted the mistake in the first place.

Furthermore, there is no requirement for the trusted contact to enter a PIN number nor any requirement that they use additional account security measures, such as two-factor authentication. I tested this with a colleague who doesn’t use two-factor authentication and he was able to download all the files in my Vault.

That means, should the trusted account holder have their password stolen, someone with access to that account could download a copy of all your sensitive documents.

The Dropbox Vault owner is sent a notification that a trusted account holder has downloaded a copy of their files, but by then it is, of course, too late to do anything about it.

Dropbox Vault: be careful who you trust

This very much puts the onus on the user to take great care with who they trust with their documents. The trusted account feature is intended to give family members or other confidants access to those critical files should the account holder be unavailable because of a medical emergency, for example. However, security experts warn users should use such features with care.

“Cybercriminals will target the weakest link in an application and companies must do their upmost to help protect their users by plugging any gaps through constant testing,” said Jake Moore, cybersecurity specialist at security firm ESET. “However, these vulnerabilities appear far larger than the usual code malfunction and more of a misunderstanding into how threat actors operate,” he added.

“I would advise account holders to use this service with caution and possibly look into setting it up once any flaws are patched and approved.”

At the very least, it would be advisable for Dropbox Vault users to ensure their trusted account holders are using two-factor authentication, reducing the risk that their Dropbox account could be hacked and spill their most sensitive data.

Password breaches aren’t unheard of with Dropbox. In 2012, a data breach exposed the login credentials of 68 million Dropbox users, which the company eventually remedied by forcing customers to perform a password reset some four years later.

A Dropbox spokesperson said: “Dropbox Vault provides an extra layer of security for your most sensitive documents and gives users the option to invite a trusted contact to their Vault for emergency circumstances. After a user invites someone to their Vault, they’re taken to the list of trusted contacts to see that the name and email of the person they just sent the invite to is “pending.” The Vault owner also has the option to revoke their invitation at any time.

“A designated trusted contact is required to re-enter their Dropbox password before accessing the sender’s Vault. The Vault owner will be notified as soon as their trusted contact accepts the invitation and when files are downloaded.”

The Link Lonk


August 20, 2020 at 01:57AM
https://www.forbes.com/sites/barrycollins/2020/08/19/a-typo-could-send-all-your-sensitive-dropbox-files-to-a-stranger/

A Typo Could Send All Your Sensitive Dropbox Files To A Stranger - Forbes

https://news.google.com/search?q=Send&hl=en-US&gl=US&ceid=US:en

No comments:

Post a Comment

Featured Post

South Dakota to send National Guard troops to Texas - ABC News

send.indah.link South Dakota Gov. Kristi Noem says she will join a growing list of Republican governors sending law enforcement officers...

Popular Posts