Dropbox Authentication: Insecure By Design

An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."

Duh?

[zachriggle]

If your local machine is accessed by an untrustworthy party and they get your shared secret/API token/whatever, they can impersonate you. ALSO: Applications store your login information locally when you request that they save your login information!!! News at eleven.

Re:Duh?

[meloneg]

But, according to the summary up there, this one survives password changes. That's really the gotcha. It sounds like they are using something similar to the SSH authentication keys. http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1

But, they really need to implement a way to reset the key files and force you to restart the authentication cycle.

Re:Duh?

[OverlordQ]

Did you even RTFS?

Once you're compromised, it's permanent, you cant change your password, you can't reformat, etc. Regardless of what they steal, changing your credentials though available means should lock them out.

Re:Duh?

[zachriggle]

If I steal your SSH key, and then you change your password, I can still access your box.

The only difference here is that you're no longer in control of the effective authorized_hosts file, Dropbox is. Yes, they should regenerate the key every time you change your password.

The article's hysteria seems to be much more about the file, rather than the fact that a password change doesn't change your API key / secret key / etc.

Re:Duh?

[hoggoth]

Then they did it wrong.
Truecrypt encrypts your data with a key. This key is encrypted with ANOTHER key (your password). You can change your password and it will reencrypt the encrypted key, without having to reencrypt all of your data.

What about Ubuntu One?

[josgeluk]

Ubuntu One is a similar service, running native on Ubuntu systems. I wonder whether that has the same built-in vulnerability.

Re:What about Ubuntu One?

[Dr_Barnowl]

Ubuntu One uses OAuth, which should have a sensible means of expiring tokens.

And seeing the sibling poster - obligatory extra SPAAAAM! Ahem... U1 is currently cheaper than Dropbox, being a buck fifty per GB per year, rather than the 2 bucks per GB that Dropbox charge, and you can get extra storage in smaller increments, so if you need 60GB you'll only need to shell out $90 per year for 3x20GB packs, not $200 for the 100GB account on Dropbox. The downside is that the service isn't quite as good as Dropbox ; their Windows client is less mature than their Linux client, it doesn't AFAICT have LAN syncing, or delta compression. The upside is that you could view it as supporting something important to you, if that has value in your personal catalogue. And it's cheaper for the same volume of storage.

/.'ed

[just_another_sean]

Site seems to be /.'ed already. Here is another site mirroring the original blog.

Re:/.'ed

[clang_jangle]

FTFA (emphasis in bold added)

Dropbox Insecure by Design
/ by / Mr. P / on / April 08, 2011 @ 4:54 am
References
Sources:
http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
Security Engineer Derek Newton recently discovered a vulnerability in Dropbox's authentication mechanism, whilst looking for forensic traces left behind by such software. Derek discovered that in one of Dropbox's SQLite Database files, config.db, there are 3 fields contained:

Email
Dropbox_Path
Host_ID


After testing (by modification of existing fields), Derek was able to determine that the only field that affected authentication in any way, was host_id. Any other fields did not affect the way in which the machine was able to communicate or sync files with Dropbox. After some more testing, Derek was able to prove that by taking the config.db, and installing it/copying it to another machine, that he was instantly able to access/sync the existing files of that users' Dropbox. In doing so, he was not once prompted for authentication or credentials, and the user was not notified of any access to their files.

This carries a lot of implications, as stated by Derek, as it allows Malware to quickly and quietly steal access to your files, without you knowing. It also allows malicious users to copy over a very small file in order to steal many larger files later, rather than copying over all the files at the time of theft. Malware would also be able to be persistently installed in the Dropbox files, so that when a user reformats their computer, it is simply synced and run all over again.

A user would need to delete/revoke the affected device ID from their Dropbox after infection to prevent continued access.

Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

Re:/.'ed

[JimFive]

Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

No it doesn't. It requires an attacker to create their own config.db file and guess the hostID. How long is that HostID and how is it generated?
--
JimFive

Re:Dropbox

[Hijacked+Public]

There is a significant difference between a service I find useful for embedding photos on web forums, or similar things, and one I'd store my plain text tax forms on.

Re:Dropbox

Agreed! I upload my tax forms to Pastebin and keep my photos securely locked away.

Re:Dropbox

[Wrath0fb0b]

Replying to undue accidental 'redundant' instead of 'informative'.

Doh. Also poster is right. Different data have different security requirements -- think about that for a while.

Re:Surprised?

[Rebelgecko]

For me, the surprising part is that someone can access your dropbox after you've changed your password. I guess I'm an idiot then.

Re:Dropbox

[HikingStick]

Let's face it. Many times, it doesn't matter whether you or I find such sites useful. What matters is whether or not senior executives, marketing partners, or "the guy who signs the checks" finds them useful. The rest of us are just screwed until we can convince management otherwise.

Re:Slashdotted before the comments even started?

[hedwards]

I'm always shocked by how much load is put on a server by people not reading the article.

Not what I think of...

[esme]

This isn't what I think of when I think of "insecure by design". This term is usually applied to things like DRM, where it would be impossible, or very very difficult, to fix, and would require completely redesigning how the access control system works.

In this case, dropbox writes a sqlite db after authenticating, and then doesn't check to make sure that it's valid later on. So you can alter the db file to access other people's accounts without having to re-authenticate.

It would be trivial for dropbox to update their app to at least check that the sqlite db is internally-consistent, and require re-auth if not. So there is no giant design issue preventing them from fixing this.

Re:Dropbox

[lgw]

Actually I find Dropbox to be very useful for things like ebooks and technical PDFs.

I can access them from my desktop, iPhone, iPad, wherever.

And so can I! Thanks for putting those up there, by the way, it doesn't work if everyone leeches.

Re:What's different?

[Desler]

Because when you change your password on other services the attacker won't continue to be able to access your account?

the Cloud is ...

[Tumbleweed]

Someone else's computer

Re:Dropbox

[RobDude]

I'm a big fan of Dropbox.

Having said that, long before I read this, I realized that anything I put into my Dropbox folder would be visible by *OTHER PEOPLE*. After all, the data is being stored on a server that I don't own. In this day and age, anything that is out of your hands is likely to be stolen, sold or lost by whatever company you are dealing with.

Dropbox is great for storing crap that is either....

1.) Not personal (my collection of .mp3s - I don't care if the world can access them)
2.) Personal, but trivial (pictures of my home renovations....I don't care if the world can access them)
3.) Encrypted

If you want to store your important tax documents or scans of your birth certificate or whatever else; cool. Go for it. But you'd better encrypt the heck out of it.

Re:Short Version of the Article

[Carnildo]

That's a gross oversimplification. A better one-line summary is:

"If someone gets access to your Dropbox credentials, they have permanent access to your files, even if you change your password."

That last bit is what the article is about.

Dropbox IPS sig from EmergingThreats

[AgentPhunk]

My IPS sensors went berzerk today after I updated my sigs from Emergingthreats.net:

emerging-all.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,to_server; uricontent:"/subscribe?host_int="; uricontent:"&ns_map="; uricontent:"&ts="; content:".dropbox.com|0d 0a|"; classtype:policy-violation; sid:2012647; rev:2;)

I was shocked how many users have this installed and running on their systems. Now I just need to convince management why I should change this rule to BLOCK. TFA and the /. comments will sure come in handy.

Kudos to the folks at ET and the community that writes these sigs. Simply amazing.

Re:Dropbox IPS sig from EmergingThreats

[slyborg]

Maybe you should find out what people are using the DB access for first...at my company, we use it as a working drop for communicating external documents with outside vendors, more convenient than shoveling everything around via email.

My old joke about the ideal network for the network admin is a single computer in a bank vault, unplugged. It's unfortunate that the job basically is all downside in terms of incidents, but ultimately the job should still be to *facilitate* employee access to company data, customers, and each other. Otherwise you are actively impeding the profitability of your company.

Re:Full Article (site is /.'ed)

[hoggoth]

Ignore all those other replies that say, basically, "because they are too stupid to use leet things like rsync."

Dropbox offers a few advantages over rsync:
It runs in real time and detects changed files, syncing them instantly without polling the filesystem. (using services like inotify).
It has iPhone and Android clients.
It's easy to install and doesn't carry other requirements like cygwin, and doesn't break in all kinds of odd corner cases like rsync on windows does.
It offers central management of which computers sync which files and folders (well, SugarSync does this much better).
It offers a web based view of your synced files for when you don't have your own computer. (This can be a plus or minus depending on your viewpoint).
It keeps backup copies of your deleted and changed files.

I'm not denigrating rsync here, it is a fantastic program that runs flawlessly and efficiently. It just doesn't get along with Windows very well and not with iPhone or Android at all.
I had set up a great system using Unison (similar to rsync) on multiple machines, running from cron or Scheduled Tasks twice a day so an OpenSolaris system with ZFS that made snapshots of the filesystems twice a day. I dare you to have your grandmother set that up.

get me my war dialer...

[locust]

Given that the id is the only token used to get data, what in the drop box system, prevents me from iterating across the id space, until I find some really juicy data?

Yawn!

[guybrush3pwood]

but you might be a little surprised to learn that

Do you know what would surprise me? If someone came along and told me "I've built an unbreakable, un-hackable, totally trustworthy system. Here's the proof. It's free. Enjoy." Anything short of that can only aspire to be amusing, but never surprising.