In Dropbox Insecure?, we reported on a security issue that affected all Dropbox users. A configuration file that is placed on an authorized computer after enabling Dropbox on it was improperly protected. Attackers could use the file on any other computer with Dropbox to download all files of the original owner, without entering the Dropbox login credentials or notifications in the Dropbox dashboard that another device was used to download the data.
The issue caused quite the controversy among users, as it could only be exploited if an attacker was able to get access to the computer. And with access, come all kinds of power including the ability to snag files directly from the local computer.
Still, Dropbox addressed the issue quickly on their website and promised to deliver an update that would resolve the issue.
That update is now available in form of an experimental Dropbox 1.2 build for all supported desktop operating systems.
Users can download Dropbox 1.2 from the official Dropbox website. It needs to be noted though that experimental builds may not be as stable as release builds. Cautious users may consider waiting for the final release of Dropbox 1.2 before updating to the new version. This may take a few weeks though.
Dropbox 1.2 introduces a new encrpyted database format to "prevent unauthorized access to local Dropbox client database" in addition to the security enhancements. This is related to the security issue, as the user who discovered the vulnerability in first place did uncover it by analyzing the local Dropbox client database.
Some third party applications that rely on databases will stop working after updating Dropbox to version 1.2.
It took Dropbox less than two weeks to develop the means to protect the configuration files and databases on the local system. Good work.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.