Security features are supposed to help us be more secure, right?
Well, yes. Supposed to is one thing – but sometimes, well-intentioned “security” features can actually increase risk in some ways.
Dropbox just introduced Dropbox Vault, a supposedly high-security storage space for their users’ most sensitive files, such as scans of birth certificates, driver’s licenses, passports, medical records, etc. The service is available to those with a paid subscription to Dropbox.
In order to access the vault, extra verification is required, such as entering a personalized 6-digit-pin, which is intended to add an “additional layer of security,” according to Dropbox.
But the new feature has one fatal flaw: a simple typo could give a stranger access to some of your most personal files.
What’s the problem?
Dropbox’s Vault allows users to select certain friends or family members as “trusted contacts” – granting them access to all their most secure scans simply by typing in their email address once. Any trusted contact can download all the files in your vault in a ZIP file.
The problem? Dropbox doesn’t have you type in the email addresses more than once to ensure they are correct. One typo and you could accidentally be giving someone you don’t know access to your most sensitive files.
While you can revoke trusted contact status, it’s possible that you could mistype an email address and not even know it.
What’s worse is that the trusted contact does not have to enter a PIN number, or complete any other sort of verification for security purposes. Should anyone steal a trusted contact’s password, they would be able to download a ZIP file of all your high security files. All Dropbox does in that case is send the Vault owner an email notification that their files have been downloaded – at which point, it is too late to prevent any possible security breach.
What the experts think
Jake Moore, a cybersecurity specialist at security firm ESET, remarked:
Cybercriminals will target the weakest link in an application and companies must do their utmost to help protect their users by plugging any gaps through constant testing. However, these vulnerabilities appear far larger than the usual code malfunction and more of a misunderstanding into how threat actors operate. I would advise account holders to use this service with caution and possibly look into setting it up once any flaws are patched and approved.
Dropbox Vault requires users to put extreme care into who they select to give “trusted contact” status. If you must use it, exercise discretion with whom you grant this status to, and set up two-factor verification for them.