Dropbox Authentication: Insecure By Design

An anonymous reader writes "Dropbox can be very useful, but you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without any obvious signs of compromise. Normal remediation steps after a compromise such as password rotation, system re-image, etc will not prevent continued access to the compromised Dropbox. Derek Newton, a security researcher that published this finding yesterday, discusses the security implications of this by-design security authentication method on his blog."

What about Ubuntu One?

[josgeluk]

Ubuntu One is a similar service, running native on Ubuntu systems. I wonder whether that has the same built-in vulnerability.

Re:Duh?

[meloneg]

But, according to the summary up there, this one survives password changes. That's really the gotcha. It sounds like they are using something similar to the SSH authentication keys. http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1 [openbsd.org]

But, they really need to implement a way to reset the key files and force you to restart the authentication cycle.

Re:/.'ed

[JimFive]

Note this requires an attacker to already have access to the config.db, i.e. one must have physical access to the machine and already be logged in as a privileged user or owner of the config.db.

No it doesn't. It requires an attacker to create their own config.db file and guess the hostID. How long is that HostID and how is it generated?
--
JimFive