How Form Validation Bug Caused Massive Dropbox Nudes Leak
- Comments Off on How Form Validation Bug Caused Massive Dropbox Nudes Leak
- Posted on
Form validation is an important part of designing any kind of software, but it can be a difficult problem to solve. Just ask the programmers who created the form that allowed hackers to steal hundreds of nude pictures from more than 200 celebrities in October 2017, including Jennifer Lawrence and Kate Upton. The bug occurred when attackers used a flaw in how the application checked whether users had typed in their passwords correctly. If the attackers entered incorrect passwords multiple times, they were able to bypass security checks and access private photos stored on the victims’ devices.
The Validation Vulnerability
The vulnerability was discovered in September by a group of Polish security researchers known as GDIY (pronounced “giddy”). They initially reported the bug to Dropbox through its HackerOne program, where hackers report vulnerabilities for companies and get paid bounties for reporting them. Instead of paying out the bounty, however, Dropbox asked the team members to keep working with the company, which led to a collaboration between Dropbox security engineers and GDIY.
After analyzing the bug in detail, they realized that it could be exploited in two different ways: by getting users to type in the wrong password over and over again or by tricking them into entering incorrect numbers. This latter method works by making a very small change to the string of characters that represents a user’s password so that the application interprets it as being correct. By typing this altered password repeatedly, the attacker is able to fool the software into accepting its input.
GDIY also found that there was no limit to how many times a hacker could enter incorrect passwords. All that mattered was that the attacker entered enough characters before the application stopped allowing new ones.
How The Dropbox Nudes Leaked
This meant that if someone wanted to gain unauthorized access to the account of another person, all they needed to do was to guess their password incorrectly and then continue guessing until they got it right. That’s not an easy task.
But the hackers behind the Dropbox hack did it anyway, and once they managed to break into the accounts of the first few people they targeted, others began to follow. As more and more people fell victim, the hackers gained access to hundreds of thousands of nude images belonging to famous female celebrities.
Dropbox fixed the vulnerability within hours of learning about the attack. It also refunded the affected parties, which included the individuals whose accounts were hacked as well as the Hollywood actresses whose intimate photos were leaked. However, the damage has been done, and the photos have spread to leaked Dropbox nude collections (https://onlybros.com/dropbox-nude/).
Why A Bug Like This Is So Dangerous
Security experts warn that this kind of bug should serve as a reminder of why developers need to test their software carefully, especially before releasing it to the public. In this case, the Dropbox developers didn’t perform the necessary tests on their own software, which resulted in them releasing a flawed product without realizing it. The result was that millions of people around the world became victims of identity theft because of a bug in one of the most popular cloud storage services in the world.
How To Avoid These Form Validation Bugs
Developers can reduce the risk of bugs like these by using automated tools that check the validity of forms. Automated testing programs are designed to identify potential problems and alert developers of errors before their software goes live. These programs work by comparing a submitted form with the expected data and flagging anything that doesn’t match up.
Testing can be tricky, though. There are so many different types of fields in a typical app, and each of them has to be tested individually. Some apps have hundreds of fields, while others might only have a dozen. And even if you find the time and manpower to test every single field in your app, what happens when you add in new features? How will you know whether those features are still working properly after adding them?
Thankfully, there’s a solution to all of these challenges. You can use automatic tool suites to test your app’s form validation capabilities. By using automatic testing tools, developers can eliminate the risk of data breaches caused by bad form validation, which allows them to deliver better products to their clients and reduce the chances of having to pay out large bounties to hackers.