Dropbox Authentication: Insecure By Design 168
An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."
Duh? (Score:2, Informative)
/.'ed (Score:4, Informative)
Site seems to be /.'ed already. Here is another site mirroring the original blog [greyhat-security.com].
Re:What about Ubuntu One? (Score:5, Informative)
Ubuntu One uses OAuth, which should have a sensible means of expiring tokens.
And seeing the sibling poster - obligatory extra SPAAAAM! Ahem... U1 is currently cheaper than Dropbox, being a buck fifty per GB per year, rather than the 2 bucks per GB that Dropbox charge, and you can get extra storage in smaller increments, so if you need 60GB you'll only need to shell out $90 per year for 3x20GB packs, not $200 for the 100GB account on Dropbox. The downside is that the service isn't quite as good as Dropbox ; their Windows client is less mature than their Linux client, it doesn't AFAICT have LAN syncing, or delta compression. The upside is that you could view it as supporting something important to you, if that has value in your personal catalogue. And it's cheaper for the same volume of storage.
Re:/.'ed (Score:5, Informative)
Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.
Re:Duh? (Score:5, Informative)
Then they did it wrong.
Truecrypt encrypts your data with a key. This key is encrypted with ANOTHER key (your password). You can change your password and it will reencrypt the encrypted key, without having to reencrypt all of your data.
Re:Short Version of the Article (Score:5, Informative)
That's a gross oversimplification. A better one-line summary is:
"If someone gets access to your Dropbox credentials, they have permanent access to your files, even if you change your password."
That last bit is what the article is about.