Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Authentication: Insecure By Design

Posted by Soulskill on from the drag-and-drop-and-hey-stop-that dept.

An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."

8 of 168 comments (clear)

  1. Re:Dropbox by Hijacked+Public · · Score: 5, Insightful

    There is a significant difference between a service I find useful for embedding photos on web forums, or similar things, and one I'd store my plain text tax forms on.

    --
    "Sacrifice for the good of The State" - The State
  2. Re:Duh? by meloneg · · Score: 4, Interesting

    But, according to the summary up there, this one survives password changes. That's really the gotcha. It sounds like they are using something similar to the SSH authentication keys. http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1

    But, they really need to implement a way to reset the key files and force you to restart the authentication cycle.

  3. Re:What about Ubuntu One? by Dr_Barnowl · · Score: 5, Informative

    Ubuntu One uses OAuth, which should have a sensible means of expiring tokens.

    And seeing the sibling poster - obligatory extra SPAAAAM! Ahem... U1 is currently cheaper than Dropbox, being a buck fifty per GB per year, rather than the 2 bucks per GB that Dropbox charge, and you can get extra storage in smaller increments, so if you need 60GB you'll only need to shell out $90 per year for 3x20GB packs, not $200 for the 100GB account on Dropbox. The downside is that the service isn't quite as good as Dropbox ; their Windows client is less mature than their Linux client, it doesn't AFAICT have LAN syncing, or delta compression. The upside is that you could view it as supporting something important to you, if that has value in your personal catalogue. And it's cheaper for the same volume of storage.

  4. Re:/.'ed by clang_jangle · · Score: 4, Informative
    FTFA (emphasis in bold added)

    Dropbox Insecure by Design
    / by / Mr. P / on / April 08, 2011 @ 4:54 am
    References
    Sources:
    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
    Security Engineer Derek Newton recently discovered a vulnerability in Dropbox's authentication mechanism, whilst looking for forensic traces left behind by such software. Derek discovered that in one of Dropbox's SQLite Database files, config.db, there are 3 fields contained:

    Email
    Dropbox_Path
    Host_ID


    After testing (by modification of existing fields), Derek was able to determine that the only field that affected authentication in any way, was host_id. Any other fields did not affect the way in which the machine was able to communicate or sync files with Dropbox. After some more testing, Derek was able to prove that by taking the config.db, and installing it/copying it to another machine, that he was instantly able to access/sync the existing files of that users' Dropbox. In doing so, he was not once prompted for authentication or credentials, and the user was not notified of any access to their files.

    This carries a lot of implications, as stated by Derek, as it allows Malware to quickly and quietly steal access to your files, without you knowing. It also allows malicious users to copy over a very small file in order to steal many larger files later, rather than copying over all the files at the time of theft. Malware would also be able to be persistently installed in the Dropbox files, so that when a user reformats their computer, it is simply synced and run all over again.

    A user would need to delete/revoke the affected device ID from their Dropbox after infection to prevent continued access.

    Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

    --
    Caveat Utilitor
  5. Re:Dropbox by lgw · · Score: 4, Funny

    Actually I find Dropbox to be very useful for things like ebooks and technical PDFs.

    I can access them from my desktop, iPhone, iPad, wherever.

    And so can I! Thanks for putting those up there, by the way, it doesn't work if everyone leeches.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  6. Re:Duh? by hoggoth · · Score: 5, Informative

    Then they did it wrong.
    Truecrypt encrypts your data with a key. This key is encrypted with ANOTHER key (your password). You can change your password and it will reencrypt the encrypted key, without having to reencrypt all of your data.

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  7. Re:Short Version of the Article by Carnildo · · Score: 5, Informative

    That's a gross oversimplification. A better one-line summary is:

    "If someone gets access to your Dropbox credentials, they have permanent access to your files, even if you change your password."

    That last bit is what the article is about.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  8. Re:/.'ed by JimFive · · Score: 5, Interesting

    Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

    No it doesn't. It requires an attacker to create their own config.db file and guess the hostID. How long is that HostID and how is it generated?
    --
    JimFive

    --
    Please stop using the word theory when you mean hypothesis.