In Dropbox Insecure?, we reported on a security issue that affected all Dropbox users. A configuration file that is placed on an authorized computer after enabling Dropbox on it was improperly protected. Attackers could use the file on any other computer with Dropbox to download all files of the original owner, without entering the Dropbox login credentials or notifications in the Dropbox dashboard that another device was used to download the data.
The issue caused quite the controversy among users, as it could only be exploited if an attacker was able to get access to the computer. And with access, come all kinds of power including the ability to snag files directly from the local computer.
Still, Dropbox addressed the issue quickly on their website and promised to deliver an update that would resolve the issue.
That update is now available in form of an experimental Dropbox 1.2 build for all supported desktop operating systems.
Users can download Dropbox 1.2 from the official Dropbox website. It needs to be noted though that experimental builds may not be as stable as release builds. Cautious users may consider waiting for the final release of Dropbox 1.2 before updating to the new version. This may take a few weeks though.
Dropbox 1.2 introduces a new encrpyted database format to "prevent unauthorized access to local Dropbox client database" in addition to the security enhancements. This is related to the security issue, as the user who discovered the vulnerability in first place did uncover it by analyzing the local Dropbox client database.
Some third party applications that rely on databases will stop working after updating Dropbox to version 1.2.
It took Dropbox less than two weeks to develop the means to protect the configuration files and databases on the local system. Good work.
If you like our content, and would like to help, please consider making a contribution: