I have long talked about the importance of securing the SaaS app here and, also, in my Twitter stream. Many of the industry observers with a security bend of mind has long warned about the possible outbreak of security issues once the SaaS applications becomes mainstream. This really puts the focus on the developers of these apps to see how they implement the security in their apps and, also, in their infrastructure.
In closing not extremely devastating on the surface for Dropbox, but definitely food for thought for anyone working on the design of cloud based applications. Issues like this are definitely not isolated to Dropbox. I wrote a tool about a year and a half ago (that I had forgotten about by the way) for pulling valid users and data out of Apple’s MobileMe service. An issue that still exists to this day. Cloud providers need to be thinking about this stuff in the design phase because it is hard to make changes after deployment.
The problem he has found in his analysis is a bad practice used by Dropbox developers in enumerating their resources. In the URL they supply to the users for sharing files, they use what is equivalent to an account number in the form
This is the root cause of the problem. They have used sequential account numbers and if you get to know an user’s account number from the URL for the public folder, you will be able to get a list of valid account numbers. This could very well serve as a starting point for a hacker who can then use social engineering techniques and other random poking around to get more information about the users. This information can then be used to create havoc in the lives of individuals or businesses (remember Twitter Hack Episode?). I just hope Dropbox takes this very seriously and take measures to prevent any serious mishaps. I also hope that they address this issue transparently so that users can trust cloud computing.
Note: If Dropbox feels his assessment is not right, we will be glad to publish their rebuttal of Mr. Hamiel’s analysis here.