The article Dropbox authentication: insecure by design by Derek Newton got quite the press in the past week or so. So what exactly did he find out to come to this conclusion? Dropbox creates a config.db file in the main application data folder, a SQLite database file that can be edited with programs that can edit SQLite databases. That file is being used to identify the device to the Dropbox account. Derek's main discovery is that the file is completely portable. You can copy it to another computer, install Dropbox there and files of the original user will automatically be synchronized on that new computer without authentication whatsoever.
This happens completely in the background. The attacker does not have to enter the account credentials to initiate the synchronization. The original user furthermore will not be notified about the transfers, and the new device will not be added to the list of allowed devices in the Dropbox account settings.
To make matters worse, there is only one option to block the attacker from synchronizing and downloading files from the original user's Dropbox: By removing the original device from the list of authorized devices in the Dropbox account. But for that, the owner needs to know that the computer was compromised. Changing the account password does not invalidate the config.db file, it can still be used to synchronize data.
One could say that the original user has other problems if someone managed to get access to the computer, and that's definitely true. With that access, one could easily transfer data from the local Dropbox folder, access mounted True Crypt volumes or access other files like mailboxes that the user has access to.
It does not however make it less worrying that the reliance on config.db for authentication is inherently weak. One step in the right direction would be to implement safeguards, for instance by linking the file to the system it has been authorized on, and by using a notifications system to inform the user of new devices that have established a connection with the Dropbox account.
You can check for unauthorized access manually on the Dropbox website, but there is no notifications option available. And even then, the attacker's device would not appear in the list of devices.
But what about encryption? If you encrypt your Dropbox data you are safe right? Encryption is not really an option either, considering that an attacker who got local access to a computer system could very well have the means to log the decryption on the local system. And it would render the file and folder sharing on Dropbox useless.
So what is it that you can do right now? You could for instance make sure that you do not host important files on your Dropbox, and if you do, you should consider encryption as it adds another layer of protection around the Dropbox files. But as we mentioned earlier, it is not a complete safeguard.
You could also start monitoring the config.db file or try to change the rights of the file so that it cannot be accessed by standard system users.
The underlying insecurity, as rare as its exploitation may be, needs to be fixed by Dropbox. You can read Derek's article and several interesting comments on his personal website.Advertisement