Major Dropbox security flaw discovered

Dropbox is a popular tool used to sync files between multiple computers and devices that a user owns. A user installs the software, designates a folder to keep syncronized, and is able to access those files among other machines that they own. The tool was even picked as one of the top ten tools that every PC should have installed.

Unfortunately, it appears that the tool has a major security flaw in it that could expose your files to everyone on the Internet. According to security specialist Derek Newton, the issue stems from the fact that the tool uses a simple configuration file to link all of the Dropbox machines together. The file, config.db, is a small table that contains only three fields: email, dropbox_path, and host_id. Since the host_id is not actually tied to a specific host and does not appear to change over time, an attacker could create a piece of malware that silently locates and sends back the config.db file. The attacker would then be able to start up a copy of Dropbox with the stolen config file in place and instantly be part of the victim's mesh of computers. The tool does not notify the user of how many machines are connected, so the victim would have no way to know that their files were being stolen.

Some comments say that this is no different than a stolen password or SSH keyring, but it seems to be much more serious than that due to the fact that a user has no way to change the authentication being done. If you suspect your email has been compromised, you can change the password. If you suspect that your Dropbox has been compromised, you have fewer options. The article gives the following advice for users of the tool:

  1. Don’t use Dropbox and/or allow your users to use Dropbox.  This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
  2. Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (do not store your passphrase in your Dropbox or on the same system/device).
  3. Be diligent about removing old systems from your list of authorized systems within Dropbox.  Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox.  If you see a system checking in that shouldn’t be, unlink it immediately.

It's unknown whether Dropbox considers this a flaw or a feature. Regardless, expect to see more issues like this as cloud computing becomes even more ubiquitous on the Internet.

Report a problem with article
Previous Story

AOL shuts down Switched, DownloadSquad

Next Story

New Zealand government sneaks in anti-piracy law [Update]

32 Comments

Commenting is disabled on this article.

Never really used these services but is it not cheaper and easier just to get some webspace and then setup a protected area that you can upload files to with FTP as normal and access from a browser once you login.

It's the most basic of code to do it. Of course you need to spend a little time to set it up right. You could even set it up to log all logins to a database or email you when it happens.

i think that the biggest risk is that the config file could be snooped over an insecure connection... is the data sent as plaintext?

Anything that is put online on somebody else's server can be hacked, stolen, copied, redistributed, snooped upon etc. For stuff you dont care about I guess its ok to use hosting based services. It all depend on the sensitivity of the data. For more confidential and valuable stuff one should try to use more secure mechanism such as private VPN, or tools like Binfer[http://www.binfer.com] that make it even simpler to transfer files securely. Heck, fedex is still in business for transporting the most confidential stuff.

This won't stop me from using Dropbox. I find it to be a very good service. But thanks for the notice. I'll re hard-backup right now!!!

The article isn't terribly clear, but it sounds to me that once someone's got your config.db file, there's no recourse for blocking access. Even if you do manage to clean up your system from whatever flaw/user error that allowed the file to be stolen, because all that's needed to access your account is the data that's in the file, the other party continues to have access to whatever's in your dropbox account.

If that's the case...then while it's one thing to claim "you already have bigger problems if your system's already compromised", it seems to me that Dropbox is doing nothing to mitigate the situation when your system *does* get compromised. And that's what setting apart, and that's *bad*.

_dandy_ said,
The article isn't terribly clear, but it sounds to me that once someone's got your config.db file, there's no recourse for blocking access. Even if you do manage to clean up your system from whatever flaw/user error that allowed the file to be stolen, because all that's needed to access your account is the data that's in the file, the other party continues to have access to whatever's in your dropbox account.

If that's the case...then while it's one thing to claim "you already have bigger problems if your system's already compromised", it seems to me that Dropbox is doing nothing to mitigate the situation when your system *does* get compromised. And that's what setting apart, and that's *bad*.

Edit: Holy ****. Now that I've read the article (and not just the summary here), that *is* the case. Until you remove the system associated with the hostid value, the attacker continues to have access to your files. And the Dropbox reps don't see a problem with this????

I've inquired Dropbox about this, and a supporter agreed that it sounds serious, but they don't agree with the assertion that there is a security flaw.

Extract from the email i received:
"The article claims that an attacker would be able to gain access to a user's Dropbox account if they are able to get physical access to the user's computer. In reality, at the point an attacker has physical access to a computer, the security battle is already lost.

The research claims Dropbox is insecure because it is possible to copy authentication information straight from the user's hard drive. This ‘flaw' exists with any service that uses file-based authentication. Practically every web service uses "cookies" that are stored on your hard drive and are susceptible to all the same attack mentioned by the research. The same user who as access to your Dropbox file also could steal your browser cookies and gain access to all your web services such as email and banking.

A simple metaphor: You keep a set of keys to you car inside your house, but don't lock the front door to the house. If someone enters into your house they can get your keys and get into your car. Your car's lock is not faulty but the thief is already inside your house and can take everything, including your car.

The same goes for your computer (the house). Keep it secure and your keys to Dropbox (the car) will be safe.

You should also read this blog from Computer World's security expert for an outside perspective:

http://blogs.computerworlduk.c...x-security-advice/index.htm

All that said, Dropbox has a reputation for being secure and we want all our users to feel comfortable storing anything in Dropbox. There are measures that can be taken to make it more difficult (though not impossible) to gain access to the authentication cookie which we'll consider in the future. We still want to maintain the ease of use of Dropbox as well and don't want to to need a new set of car keys every time you park your car. "

While I see his point, I am still not convinced.. I would feel safer if further security measures were implemented.

if this is the case, I wonder how safe something like 1Password is as it can use DropBox to sync your password file. Although that is supposed to be encrypted itself.

Surely if someone has managed to get access to that config file, they already have access to your entire system so they could just browse all your files, including your Dropbox folder!

If a piece of malware is able to copy and transfer that single file from your computer then it could do a lot worse like monitoring your keystrokes as you visit your bank.

Sure this is a security issue but it is no more a major security flaw than having malware on your PC in the first place.

Vice said,
If a piece of malware is able to copy and transfer that single file from your computer then it could do a lot worse like monitoring your keystrokes as you visit your bank.

Sure this is a security issue but it is no more a major security flaw than having malware on your PC in the first place.


I agree. This is a minor issue when put in perspective.

Yes, if a malware can start reading files you have access to, a Dropbox folder could be accessible (but who stores sensitive stuff unencrypted in the cloud anyway?), but also large parts of your hard drive. If you run as Admin - basically everything on it.

This just in! Major security flaw in Windows could allow attackers to gain private information! A piece of malware could be crafted to resemble an innocuous security program, or useful tool. If a Windows user with administrative privileges activates the malware, it could send personal information back or a remote server, including your passwords and credit card details!

/end sarcasm.

The same thing applies to any system with access to the Internet. You just have to make sure you're well protected, and be smart-- don't open unknown files, and keep your virus definitions up to date.

cyberdrone2000 said,
This just in! Major security flaw in Windows could allow attackers to gain private information! A piece of malware could be crafted to resemble an innocuous security program, or useful tool. If a Windows user with administrative privileges activates the malware, it could send personal information back or a remote server, including your passwords and credit card details!

/end sarcasm.

The same thing applies to any system with access to the Internet. You just have to make sure you're well protected, and be smart-- don't open unknown files, and keep your virus definitions up to date.


While all that is true it's a pretty lazy excuse for such a popular program to have such simple security... Even windows live messenger, a simple IM can show on how many computer I am logged in on an I can log out from any of them from any other, and that's tru for all ms live products...

kabix said,
Thats a major security flaw?

it will be major very soon, when somebody writes a worm that steals this config.db file....

kabix said,
Thats a major security flaw?

Only if you are infected with malware so they have complete and unrestricted access to your user profile and at least everything your user can access.

In which case one could argue that you have numerous other major problems on your hands. I'm sure there are lots of goodies in the Windows Registry file for example, other than Dropbox's config file... And the hard drive in general itself, of course.

Northgrove said,

Only if you are infected with malware so they have complete and unrestricted access to your user profile and at least everything your user can access.

In which case one could argue that you have numerous other major problems on your hands. I'm sure there are lots of goodies in the Windows Registry file for example, other than Dropbox's config file... And the hard drive in general itself, of course.

Ok, when you have a worm on your computer, it can access everything on YOUR computer, and upload to remote server WHEN you are online (ok, most of the time), but if a worm steals the dropbox credentials, it can access, download or upload whenever it wants regardless if your computer is online or not. This is bad especially for those who use dropbox as a backup for some personal important files.

Actually, SugarSync is essentially in the same boat as Dropbox. In order for their sync to work, SugarSync sends your files to their servers, then from there to your other computers.

When you send your file to their servers, they have total access to it, at least at the beginning, when their servers receive it. If they encrypt the data at this point, that's fine, that's a good security measure, but it doesn't do much for privacy. They have both the encrypted data and the key, which is the same thing as having the decrypted data.

Essentially, any time you send unencrypted data to any online service, you've entered into a trust relationship with them. Only if you encrypt it first on your computer, can you ensure actual privacy. Hence, the only real solution is client-side encryption. True Crypt gives you this, with some effort, as well as do PGP or other encryption apps.

My startup just released a small app last week (talk about timing) that was motivated by the very issues discussed here. It works with Dropbox and other sync services, and encrypts your files on your computer before putting them into Dropbox. It's much simpler to use than True Crypt and affords essentially the same protection. I'm not trying to spam, but here's the link in case it sounds interesting to anyone. This is an early beta:

http://getsecretsync.com

That's why I recommend my business clients to use VPN. Almost a snap to use.
Emailing small things is also quite convenient. (Keyword small!)

Raa said,
That's why I recommend my business clients to use VPN. Almost a snap to use.
Emailing small things is also quite convenient. (Keyword small!)

Only business? I use VPN to connect to my home PC, SSL on my personal website, and full disk encryption on my home desktop, is it too much ??

Raa said,
That's why I recommend my business clients to use VPN. Almost a snap to use.
Emailing small things is also quite convenient. (Keyword small!)

You clearly have no idea about security, or just general good practice if you are suggesting that email is a good alternative to VPN systems, even for small files.

Raa said,
That's why I recommend my business clients to use VPN. Almost a snap to use.
Emailing small things is also quite convenient. (Keyword small!)

Your VPN client won't do much if they managed to access your config.db file.

ramik said,

Only business? I use VPN to connect to my home PC, SSL on my personal website, and full disk encryption on my home desktop, is it too much ??

what vpn soft do you use?

Just use Secure SSH Client. It has a UI too if you want to share files. There is also a free SSH server available for Linux, Windows, Mac, etc. If you want to remotely connect, use the Tight VNC client/server product. Again, this is for Linux, Windows, Mac, etc. OSes.

These idiot companies like Dropbox are trying to solve a problem which 0.000001% of the people in the world "could" have. Besides, this is way too much hassle and you're giving your personal files to some idiot company to manage. Why? How can you trust someone else more than yourself with your stuff? Are you that ****ing stoned?

I would only make an account on websites like this to store trash - things that are not mine and are publicly available which I am attached to and fear that it may not be available anymore.

Edited by Jebadiah, Apr 14 2011, 6:16am :