Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Authentication: Insecure By Design

Posted by Soulskill on from the drag-and-drop-and-hey-stop-that dept.

An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."

15 of 168 comments (clear)

  1. What about Ubuntu One? by josgeluk · · Score: 3, Interesting

    Ubuntu One is a similar service, running native on Ubuntu systems. I wonder whether that has the same built-in vulnerability.

    1. Re:What about Ubuntu One? by Dr_Barnowl · · Score: 5, Informative

      Ubuntu One uses OAuth, which should have a sensible means of expiring tokens.

      And seeing the sibling poster - obligatory extra SPAAAAM! Ahem... U1 is currently cheaper than Dropbox, being a buck fifty per GB per year, rather than the 2 bucks per GB that Dropbox charge, and you can get extra storage in smaller increments, so if you need 60GB you'll only need to shell out $90 per year for 3x20GB packs, not $200 for the 100GB account on Dropbox. The downside is that the service isn't quite as good as Dropbox ; their Windows client is less mature than their Linux client, it doesn't AFAICT have LAN syncing, or delta compression. The upside is that you could view it as supporting something important to you, if that has value in your personal catalogue. And it's cheaper for the same volume of storage.

  2. /.'ed by just_another_sean · · Score: 3, Informative

    Site seems to be /.'ed already. Here is another site mirroring the original blog.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    1. Re:/.'ed by clang_jangle · · Score: 4, Informative
      FTFA (emphasis in bold added)

      Dropbox Insecure by Design
      / by / Mr. P / on / April 08, 2011 @ 4:54 am
      References
      Sources:
      http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
      Security Engineer Derek Newton recently discovered a vulnerability in Dropbox's authentication mechanism, whilst looking for forensic traces left behind by such software. Derek discovered that in one of Dropbox's SQLite Database files, config.db, there are 3 fields contained:

      Email
      Dropbox_Path
      Host_ID


      After testing (by modification of existing fields), Derek was able to determine that the only field that affected authentication in any way, was host_id. Any other fields did not affect the way in which the machine was able to communicate or sync files with Dropbox. After some more testing, Derek was able to prove that by taking the config.db, and installing it/copying it to another machine, that he was instantly able to access/sync the existing files of that users' Dropbox. In doing so, he was not once prompted for authentication or credentials, and the user was not notified of any access to their files.

      This carries a lot of implications, as stated by Derek, as it allows Malware to quickly and quietly steal access to your files, without you knowing. It also allows malicious users to copy over a very small file in order to steal many larger files later, rather than copying over all the files at the time of theft. Malware would also be able to be persistently installed in the Dropbox files, so that when a user reformats their computer, it is simply synced and run all over again.

      A user would need to delete/revoke the affected device ID from their Dropbox after infection to prevent continued access.

      Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

      --
      Caveat Utilitor
    2. Re:/.'ed by JimFive · · Score: 5, Interesting

      Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

      No it doesn't. It requires an attacker to create their own config.db file and guess the hostID. How long is that HostID and how is it generated?
      --
      JimFive

      --
      Please stop using the word theory when you mean hypothesis.
  3. Re:Dropbox by Hijacked+Public · · Score: 5, Insightful

    There is a significant difference between a service I find useful for embedding photos on web forums, or similar things, and one I'd store my plain text tax forms on.

    --
    "Sacrifice for the good of The State" - The State
  4. Re:Dropbox by Anonymous Coward · · Score: 3, Funny

    Agreed! I upload my tax forms to Pastebin and keep my photos securely locked away.

  5. Re:Duh? by meloneg · · Score: 4, Interesting

    But, according to the summary up there, this one survives password changes. That's really the gotcha. It sounds like they are using something similar to the SSH authentication keys. http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1

    But, they really need to implement a way to reset the key files and force you to restart the authentication cycle.

  6. Re:Dropbox by Wrath0fb0b · · Score: 3, Insightful

    Replying to undue accidental 'redundant' instead of 'informative'.

    Doh. Also poster is right. Different data have different security requirements -- think about that for a while.

  7. Re:Slashdotted before the comments even started? by hedwards · · Score: 3, Insightful

    I'm always shocked by how much load is put on a server by people not reading the article.

  8. Re:Dropbox by lgw · · Score: 4, Funny

    Actually I find Dropbox to be very useful for things like ebooks and technical PDFs.

    I can access them from my desktop, iPhone, iPad, wherever.

    And so can I! Thanks for putting those up there, by the way, it doesn't work if everyone leeches.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  9. the Cloud is ... by Tumbleweed · · Score: 3, Insightful

    Someone else's computer

  10. Re:Duh? by hoggoth · · Score: 5, Informative

    Then they did it wrong.
    Truecrypt encrypts your data with a key. This key is encrypted with ANOTHER key (your password). You can change your password and it will reencrypt the encrypted key, without having to reencrypt all of your data.

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  11. Re:Short Version of the Article by Carnildo · · Score: 5, Informative

    That's a gross oversimplification. A better one-line summary is:

    "If someone gets access to your Dropbox credentials, they have permanent access to your files, even if you change your password."

    That last bit is what the article is about.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  12. Re:Dropbox IPS sig from EmergingThreats by slyborg · · Score: 3, Insightful

    Maybe you should find out what people are using the DB access for first...at my company, we use it as a working drop for communicating external documents with outside vendors, more convenient than shoveling everything around via email.

    My old joke about the ideal network for the network admin is a single computer in a bank vault, unplugged. It's unfortunate that the job basically is all downside in terms of incidents, but ultimately the job should still be to *facilitate* employee access to company data, customers, and each other. Otherwise you are actively impeding the profitability of your company.