Avira Techblog: Dropbox’s two factor authentication and what happens when it fails

Some time ago, Dropbox offered two-factor authentication. This means, that you need to prove that you are in possession of something that only the owner of the account has. This is usually a mobile phone, but it can be also an application which generates a unique code.

This type of authentication adds another layer of security on top of the classical username and password authentication.

For a reason which can’t be explained, Dropbox apparently started about a day ago to force the passwords of the users who have activated the two factor authentication to expire. An affected user is forced to reset the password in order to access his account. When trying to login, the user receives an email with the subject “Please update your expired Dropbox password” and it is asked to click on a link in order to reset the password.

We noticed that you recently tried to log in to Dropbox with a password that you haven’t changed in a while. Your old password has expired and you’ll need to create a new one to log in.

The only information provided is that the password is old and needs to be changed.

Until the password is changed, any application or service using the Dropbox account of the user affected will not be able to login. The error message is very generic, pointing toward an unknown error on the website. The error code returned by the webserver appears to be 500, which is usually returned when a service is unavailable.

Once the user resets the password, there is a second email with the subject “Dropbox password reset confirmation” and the text:

You recently requested a link to reset your Dropbox password.
Please set a new password by following the link below:

After clicking on the link and resetting the password, the user should use the two-factor authentication system to receive an SMS in order to double authenticate the user.

For more than 5h today, September 12, between 16.30 and 21.36 GMT+1, the two factor authentication service hasn’t function, potentially preventing all users who have the two step authentication enabled to login.

The error received wasn’t pointing toward the authentication service, but a login wasn’t possible. An account without two-step authentication active could login without problems.

At 21.36 GMT+1, the service started to function again and the login was possible.

In the Dropbox forums, the thread “Getting Error 500 when resetting the expired password” has first reported the problem.

In the same forum, another thread started a day before has asked “Who decided to expire my password ?” pointing to the exact the same behavior described a the beginning of the article.

Is this behavior something that Dropbox introduced recently? There is no information on their blog or on the forums.

Was the Dropbox site hacked, passwords got stolen and now they force everybody to reset their password? Probably not, because they should have done this with all accounts.

Did they experience again another bug like last time, when they allowed any user to access any other Dropbox account?

Or it is only a way to annoy the users?

We will see soon if a Dropbox official bothers to answer to the questions in the forum.

 

 

Sorin Mustaca

Data Security Expert

via Avira – TechBlog http://techblog.avira.com/2012/09/12/dropboxs-two-factor-authentication-and-what-happens-when-it-fails/en/


© Copyright 2012 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch