Dropbox is a popular tool used to sync files between multiple computers and devices that a user owns. A user installs the software, designates a folder to keep syncronized, and is able to access those files among other machines that they own. The tool was even picked as one of the top ten tools that every PC should have installed.
Unfortunately, it appears that the tool has a major security flaw in it that could expose your files to everyone on the Internet. According to security specialist Derek Newton, the issue stems from the fact that the tool uses a simple configuration file to link all of the Dropbox machines together. The file, config.db, is a small table that contains only three fields: email, dropbox_path, and host_id. Since the host_id is not actually tied to a specific host and does not appear to change over time, an attacker could create a piece of malware that silently locates and sends back the config.db file. The attacker would then be able to start up a copy of Dropbox with the stolen config file in place and instantly be part of the victim's mesh of computers. The tool does not notify the user of how many machines are connected, so the victim would have no way to know that their files were being stolen.
Some comments say that this is no different than a stolen password or SSH keyring, but it seems to be much more serious than that due to the fact that a user has no way to change the authentication being done. If you suspect your email has been compromised, you can change the password. If you suspect that your Dropbox has been compromised, you have fewer options. The article gives the following advice for users of the tool:
- Don’t use Dropbox and/or allow your users to use Dropbox. This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
- Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (do not store your passphrase in your Dropbox or on the same system/device).
- Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn’t be, unlink it immediately.
It's unknown whether Dropbox considers this a flaw or a feature. Regardless, expect to see more issues like this as cloud computing becomes even more ubiquitous on the Internet.
32 Comments - Add comment