July 17, 2012

“Always have your stuff when you need it with Dropbox.” That’s the marketing line for the online file storage service, but today users have had difficulty logging into the service. The outages came amid reports that many European Dropbox users were being blasted with spam for online casinos, suggesting some kind of leak of Dropbox user email addresses.

The trouble began earlier today, when users on the Dropbox support forums began complaining of suddenly receiving spam at email addresses they’d created specifically for use with Dropbox. Various users in Germany, the Netherlands and United Kingdom reported receiving junk email touting online gambling sites.

Dropbox did not respond to emails seeking comment, but a forum user who self-identified as a company employee said Dropbox was investigating the reports.

At around 3 p.m. ET, the company’s service went down in a rare outage, blocking users from logging into and accessing their files and displaying an error message on dropbox.com. I will update this post in the event that the company responds to my requests or provides some explanation of what caused today’s outage and the spam.

The outage and strange spam runs follow a week of high profile password and data breaches. Yahoo! acknowledged that more than 400,000 user names and passwords to Yahoo and other companies were stolen last Wednesday. Formspring, a social question-and-answer site, reset all user passwords after it discovered that approximately 420,000 password hashes from its servers had been posted to an online forum last Monday. Androidforums.com and Billabong International also disclosed password breaches last week.

Update, 6:37 p.m. ET:  Dropbox just issued the following statement about today’s events: “We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.”

Update, July 20, 9:35 a.m. ET: A Dropbox administrator posted this update last night: ”

– As of today, we’ve found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts.
– We’ve reached out to users who’ve reported receiving spam messages and are closely investigating those reports.
– Security is our top priority and we’ll let you know if we uncover evidence that these email addresses came from Dropbox.

Thanks for your patience. Investigations like this can take time and we’re working hard to get to the bottom of this.

-Graham

 


16 thoughts on “Spammers Target Dropbox Users

  1. Steve Wilner

    At 17:30 ET I have normal access to the Dropbox Web site and my files both Web and mobile device.

  2. Bart

    A new release of Flash is out, at least for Macs.

  3. leoluk

    Surprisingly high number of password leaks in the last weeks.
    Maybe related to a new 0day?

  4. Matthew

    I hope those folks who use one pwd for multiple sites will awaken to the dangers.

  5. AndrzejL

    I removed my Dropbox accounts many months ago after listening to one of the SecurityNow episodes…

    “______And what he determined by experimentation is that the only thing that identifies you to Dropbox is the host_id_____. There is no other lockage of that file to a given system. And so what he posted – and again, I learned about this from people saying in Twitter, hey, Steve, what do you think about this? And this has been a constant flow for the last couple weeks. And I mentioned last week that I hadn’t had a chance to dig into this, but I would, to look into it and verify it. So I did want to follow up for everyone who’s been wondering.

    So what _______this means is that, if you weren’t protecting this file, or if anything got onto your system which was able to grab this file through social engineering attack or spyware or malware, whatever, if you lost control of that file such that it was in any way exfiltrated from your control, then that file can be installed on any other system. And that provides the sole authentication of you, the instance of you, to Dropbox such that, with no other information, no username, password, no logon, anything, that authenticates that new system______. And there is – it doesn’t appear as a new machine in the set of machines that you have authorized to use. It’s merely a clone of that first one, which then has full access, unencrypted access, to your Dropbox contents. Which to me says these guys aren’t really looking at security.”

    Source: grc.com/sn/sn-297.htm – MP3 also available for those that prefer to listen rather then read… I was hoping that Dropbox changed their ways of doing things and that increasing the security and privacy of the users has become one of their main goals. I was actually thinking about them recently. I asked myself couple of weeks ago – did they changed their security model but I guess this is the answer to my question. SpiderOak FTW…

    Regards.

    Andrzej

    1. voksalna

      AndrzejL,

      Don’t you mean…. a cookie?

      1. AndrzejL

        I am sorry but I do not understand.

        Did You meant the quote? If so – it’s Steve Gibson You would have to ask :).

        Regards.

        Andrzej

      1. AndrzejL

        Still… IF they are making security bugs like this – no wonder their DB is flying around… Just my 2 cents.

        Regards

        Andrzej

        1. voksalna

          Cookies aren’t terrific but you’d be surprised at how many places use them for authentication (ie “remember this computer” sorts of things), which is why I’m confused. It’s not a bug if they meant to have it that way. Doesn’t make it good practice, but as I said… it’s sort of naive to only put the onus on dropbox here. If you don’t believe me, ask Google. 🙂

          A better question might be, if you’re that concerned about security, why you don’t clear your browser cookies and cache out on a regular basis (there are very good browser plugins for this for firefox and opera (and most likely IE but if you’re using IE… you probably don’t care about security).

          1. leoluk

            The Dropbox security problem was not related to cookies at all. Every computer logging in to a Dropbox account got an access token which didn’t expire when changing passwords. This meant that if someone stole that token, he would have access to the account even after changing passwords.

            1. AndrzejL

              Oh that is what voksalna was asking about.

              Yeah it was not cookies related. Just a security “feature” ;).

              Regards.

              Andrzej

  6. Philip Spohn

    I think the root cause is right there in plain sight. When you right-click a Dropbox sub-folder in Windows Explorer you get an option to “Share this folder…”. The invitation that Dropbox then sends arrives as an email that states in part ” {Sender} wants to share some files with you using Dropbox…”

    If the recipient(s) PC is compromised, the spammer simply scrapes the address from the message and starts the spam barrage.

    If you send the invitation to say, 10 addresses, at least one of them is likely to be compromised.

    1. Philip Spohn

      I see the comment system removed my (made-up) email address that should appear after {sender}. It’s right there in plain sight in the original email message from Dropbox.

    2. leoluk

      Dropbox isn’t even installed on my computer and I didn’t invite anyone, and I still got that spam mail, so I don’t think it’s the root cause.

      1. Sastray

        @leoluck

        I think the point is not that you need dropbox on your computer or to invite anyone, but rather –

        to gather a list of dropbox users, a compromised computer could look for those invitations from legitimate users, and compile their list based on those senders. This sort of scraping would fade into the woodwork until it became useful for a targeted attack, such as this one.

        The way to disprove the theory is to see if the email address has been compromised of any users who ~hasn’t~ sent out invitations to others users (regardless of whether the other user accepted or not).

Comments are closed.