Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security The Internet IT

Dropbox Authentication: Insecure By Design 168

Posted by Soulskill from the drag-and-drop-and-hey-stop-that dept.
An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."
This discussion has been archived. No new comments can be posted.

Dropbox Authentication: Insecure By Design More

Dropbox Authentication: Insecure By Design

Comments Filter:

  • Duh? (Score:2, Informative)

    by zachriggle ( 884803 ) on Friday April 08, 2011 @03:10PM (#35761582)
    If your local machine is accessed by an untrustworthy party and they get your shared secret/API token/whatever, they can impersonate you. ALSO: Applications store your login information locally when you request that they save your login information!!! News at eleven.

  • /.'ed (Score:4, Informative)

    by just_another_sean ( 919159 ) on Friday April 08, 2011 @03:11PM (#35761600) Journal

    Site seems to be /.'ed already. Here is another site mirroring the original blog [greyhat-security.com].

  • Re:What about Ubuntu One? (Score:5, Informative)

    by Dr_Barnowl ( 709838 ) on Friday April 08, 2011 @03:30PM (#35761808)

    Ubuntu One uses OAuth, which should have a sensible means of expiring tokens.

    And seeing the sibling poster - obligatory extra SPAAAAM! Ahem... U1 is currently cheaper than Dropbox, being a buck fifty per GB per year, rather than the 2 bucks per GB that Dropbox charge, and you can get extra storage in smaller increments, so if you need 60GB you'll only need to shell out $90 per year for 3x20GB packs, not $200 for the 100GB account on Dropbox. The downside is that the service isn't quite as good as Dropbox ; their Windows client is less mature than their Linux client, it doesn't AFAICT have LAN syncing, or delta compression. The upside is that you could view it as supporting something important to you, if that has value in your personal catalogue. And it's cheaper for the same volume of storage.

  • Re:/.'ed (Score:5, Informative)

    by clang_jangle ( 975789 ) on Friday April 08, 2011 @03:30PM (#35761820) Journal
    FTFA (emphasis in bold added)

    Dropbox Insecure by Design
    / by / Mr. P / on / April 08, 2011 @ 4:54 am
    References
    Sources:
    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/ [dereknewton.com]
    Security Engineer Derek Newton recently discovered a vulnerability in Dropbox's authentication mechanism, whilst looking for forensic traces left behind by such software. Derek discovered that in one of Dropbox's SQLite Database files, config.db, there are 3 fields contained:

    Email
    Dropbox_Path
    Host_ID


    After testing (by modification of existing fields), Derek was able to determine that the only field that affected authentication in any way, was host_id. Any other fields did not affect the way in which the machine was able to communicate or sync files with Dropbox. After some more testing, Derek was able to prove that by taking the config.db, and installing it/copying it to another machine, that he was instantly able to access/sync the existing files of that users' Dropbox. In doing so, he was not once prompted for authentication or credentials, and the user was not notified of any access to their files.

    This carries a lot of implications, as stated by Derek, as it allows Malware to quickly and quietly steal access to your files, without you knowing. It also allows malicious users to copy over a very small file in order to steal many larger files later, rather than copying over all the files at the time of theft. Malware would also be able to be persistently installed in the Dropbox files, so that when a user reformats their computer, it is simply synced and run all over again.

    A user would need to delete/revoke the affected device ID from their Dropbox after infection to prevent continued access.

    Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

  • Re:Duh? (Score:5, Informative)

    by hoggoth ( 414195 ) on Friday April 08, 2011 @04:22PM (#35762500) Journal

    Then they did it wrong.
    Truecrypt encrypts your data with a key. This key is encrypted with ANOTHER key (your password). You can change your password and it will reencrypt the encrypted key, without having to reencrypt all of your data.

  • Re:Short Version of the Article (Score:5, Informative)

    by Carnildo ( 712617 ) on Friday April 08, 2011 @04:23PM (#35762520) Homepage Journal

    That's a gross oversimplification. A better one-line summary is:

    "If someone gets access to your Dropbox credentials, they have permanent access to your files, even if you change your password."

    That last bit is what the article is about.

Slashdot Top Deals

"Gravitation cannot be held responsible for people falling in love." -- Albert Einstein

Close