Update at the foot of the article.
If you, like me, have found the popular cloud-based file hosting platform Dropbox to be an absolute lifesaver, you might be a little surprised to learn that by copying one file from a computer running the application, an attacker can access and download all of your files without you ever knowing.
Security researcher Derek Newton began looking into how how some of the file synchronisation tools operated, particularly what traces of information were left on a system as a result of using the tools. Focusing on Dropbox, the darling of cloud-hosted file synchronisation tools, Newton came across a route that potential attackers could take to gain access to a Dropbox user’s files without their authorisation, possibly without them ever realising their account was being spied upon.
Recognising that other users had reached the same conclusion (here and here), Newton didn’t think that “people [understood] the significance of the way Dropbox [handles] authentication,” so he published his findings from an “authentication standpoint and the significant security implications that the present implementation of Dropbox brings to the table”.
The “attack” is achieved by obtaining the Dropbox ID of a user or by copying files that are associated with a Dropbox install on a user’s computer. With Dropbox users needing to install the client on each computer they wish to synchronise, user credentials are locally stored in data files (sometimes) across numerous workstations.
Newton’s concept, tested on a Windows machine, uses Dropbox’s own configuration files; configuration data, file/directory listings, hashes which are stored in numerous SQLite database files located in %APPDATA%\Dropbox. Inside one file lies a database row containing a users “host_id”, which is used to authenticate each individual user.
Modifying this file and changing the host_id to that of another Dropbox user automatically authenticates the account, providing complete access to that person Dropbox until the user realises that there is a new computer in the “Linked Devices” section of the Dropbox website.
An alternate method, and one that could be somewhat difficult, is to copy the database file to another computer. This method automatically joins the system to the list of connected computers – without notifying the account owner, asking for user credentials or even being added to the list of connected computers on a Dropbox account.
If you are affected by this method, changing your password won’t restrict access, ensuring a person could download Dropbox-hosted files for a long as you use that account.
Both methods require an attacker to gain access to a Dropbox users’ ID or configuration files, so don’t be too worried just yet. It raises an issue that could see malicious malware programs deployed specifically with the intention of copying a user’s Dropbox configuration files and because the file is so inconspicuous, it is unlikely to set off any alarms on your system.
If someone already has access to a Dropbox computer, it would be possible to copy all files, but copying one file and ensuring access to any future files added to the account is a lot more lucrative.
Dropbox will be aware of the potential harm this could cause users, which may motivate it to introduce a new authentication mechanisms that require users to enter their credentials if certain files are edited or replaced, which isn’t necessarily the easiest thing to monitor.
Until it does, Newton recommends taking the following steps to ensure your files are safe:
- Don’t use Dropbox and/or allow your users to use Dropbox. This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
- Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (do not store your passphrase in your Dropbox or on the same system/device).
- Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn’t be, unlink it immediately.
If you are worried about the security of your files generally, it would be advisable to not use Dropbox because files can be transferred to a computer you aren’t necessarily using . The technique used here is more a proof of concept but it does show that Dropbox users need to be aware of how they store their files.
Update: Dropbox has issued a response to Newton’s research, summarising that if someone has access to files on a machine, files are already insecure:
On this specific topic, we don’t agree with the researcher’s assertion that there is a security flaw – Dropbox is a perfectly safe place to store sensitive data. The researcher is claiming that an attacker would be able to gain access to a user’s Dropbox account if they are able to get physical access to the user’s computer.