Dropbox officially launched its password manager called ‘Vault’ in June, and it also dubs as a safe place to keep your sensitive documents. Geared towards premium paying users, the product promoted zero-knowledge design and strong encryption. However, as reporters from Forbes point out, now there’s a serious security flaw that plagues Vault.
Reportedly, if a Vault user tries to share access to their Vault folders with someone, they could end up sharing highly sensitive documents with strangers. All that they would need to do for this to happen is to mistype the contact’s email address.
Vault is PIN-protected with a six-digit code, and the owner of the protected folder needs to enter that PIN to access the data. However, the trusted contacts don’t need to enter anything, such as one-time codes arriving via SMS or something along those lines.
Dropbox Vault and Dropbox Password are two separate features. Dropbox Passwords stores and syncs your passwords across devices with zero-knowledge encryption so users can easily log into websites and apps. Dropbox Vault secures and organizes users' most important personal documents and allows them to grant emergency access to select friends and family.
As users point out, Dropbox isn’t asking them to confirm the email address of the trusted contact, so they just enter it once, and it’s gone. If there is a typo, a stranger gets instant access to your Dropbox Vault. If you haven’t realized the mistake in order to revoke that access, you are done for.
When the trusted contact downloads a copy of the files, a notification is generated and sent to the owner. Of course, it would be too late to secure the data by then, so that mechanism isn’t helping much either. Furthermore, if a malicious actor uses stolen or phished credentials to access the trusted contact’s account, they would be able to access your Dropbox Vault. This is the absence of a PIN or 2FA step coming into play again, adding another potential for disastrous data exposure.
All that said, if you are using Dropbox Vault, you may want to refrain from using the “trusted contacts” feature altogether. Many people add other users as trusted to secure that their important files will remain retrievable if something bad happens to them.
Family members are a classic example of this type of access share, but until Dropbox adds a two-factor authentication step for this, maybe you should find another way to give that access. If you insist on adding someone, at least make sure you have typed their email address correctly before you click on that confirmation button.