Dropbox apologies for clunky administrator account access on Macs Dropbox has denied accusations that its Mac client is stealing passwords. Developer Phil Stokes has accused the cloud locker company of sucking up administrator passwords on machines in a bid to reduce the number of permission prompts. Stokes says in analysis that Dropbox's Mac client abused the system preferences’ …
"We only ask for privileges we actively use, but unfortunately some of the permissions aren’t as granular as we would like."
I personally don't care if they "actively use" my admin password, they have no business having it.
I have applications on my Mac like Mountain Duck and the new version of ChronoSync that allow me to mount an SFTP or WebDAV server without handing my password to a 3rd party - they ask me to give them rights during setup (as they need to create a mount in the file system), but not the actual password. That's how it's done properly.
The moment you retain passwords that are none of your business you'll be the first to face questions when data is stolen or accessed by unauthorised 3rd parties. Not a wise move IMHO (well, OK, for my work the very concept of using an untrusted 3rd party would be anathema, but it works for some people).
It works for way too many people, which is why these "apps" continue to request - and obtain - access to elements that have nothing to do with their stated purpose or requirements.
Since when does an app retain the passwords it needs ? It hands the request to the OS, which hands the answer back : fail or pass. Then the app deals with the result. That is called managing security.
This is just the consequence of the phone-app environment where everything accesses everything and the clueless masses bleat in unison while accepting the situation.
I have been boycotting Dropbox since they took on Condoleezza (sp?) Rice as a board member. Since I never had a dropbox account, for me,"boycott" means refusing document links that others send me that they want to share.
Of course I don't use Apple either so this specific issue doesn't bother me.
On another note, I'm curious what other apps do stuff like this; i.e., this one was found, how many more are hiding?
I'm not aware of how good their service is - but I doubt it will try to pwn your MBR, and I saw this with DB in 2012, just before the news of yet another Dropbox Hack - they hack 1000s of users, then mysteriously get hacked and all the password are stolen. Then they deny they were actually hacked (as in 2014)
https://blogs.dropbox.com/dropbox/2014/10/dropbox-wasnt-hacked/
but the latest news puts the lie to their 2014 plea - they were hacked in 2012 and you can check to see if your credentials are publicly available following the procedure given here https://www.troyhunt.com/the-dropbox-hack-is-real/
A previous article on the same blog:
Discusses the process he went through before coming public with the details, including telling drop box and running successfully the software with permissions disabled for four months attempting to use every feature.
Meh, that's a poorly written article.
1) Dropbox doesn't store/retain/use or whatever your admin password. During installation it requests it so it can inject itself with an accessibility permission (which is fairly unlimited, to be granted).
2) The fishy bit is that it circumvents the existing OSX elevation methods and instead just settles for the jugular - injecting itself far deeper in the system than it should.
Which really brings the crux of the problem. Why the f*k should a cloud files sync service require kernel extensions or inject itself as a virtual filesystem in the first instance. What the hell was wrong with the model where it had a folder, kept monitoring it and if anything changed, synced the files?
Me thinks we should ring up the BOFH and point him to a couple of product managers in Dropbox HQ. Heck, I'd sharpen the spade myself.
I am being hounded, hounded I tell you, by bloody Dropbox to get DB Enterprise throughout the company. After the recent, well 2012, password screwup I told them that we were rethinking our strategy more along the lines of Box, Ctera or Tresorit. That put them into hyperdrive with UK area sales managers insisting that they had to come to see us, along with their development managers, to reassure us that everything was ok.
Given that all our IT security is handled by a much larger organisation than our own, and who are now not too pleased to have been shown this article, I rather suspect that the final nail just went into the Dropbox coffin ..
"unfortunately some of the permissions aren’t as granular as we would like"
B******s! Under no circumstances does an app need permissions to the whole system in order to sync user files. It's running in user space and only needs user permissions, nothing higher, and certainly not root. As for granularity, I call B******s on that too. UNIX's ACLs and granularity go hand in hand.
I was dubious about the new Dropbox app ever since I heard it installed a kext. Definitely deleting it from my Mac now.
Ask yourself, could you trust someone again after they were caught red-handed deceiving you and many other people, and then lied about what they were doing by trying to play it down with feeble, patronising excuses?
Sorry but this is 2016. There is no excuse.
If you continue with Dropbox, you will always have at the back of your mind that people who lied to you have control over you. Can you accept that?
Dropbox can no longer be trusted. Anyone can see that now.
Worse than Dropbox hacking your computer is their open (back)door policy that has resulted in regular embarrassments like this one:
https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
By 2012, the regular leakage of user passwords was already an old story. But their business continues to grow, so this time the leak exceeds 68 million users. It's the PT Barnum style of business - if you fail your existing clients, just find new ones. I once had to recover a Mac that had been sadly taken down - watching the boot process, the first thing that came up was Dropbox. This was ca. 2012 - Dropbox owned the MBR and controlled the boot process - on that machine, at least.
Forget Dropbox. Pick an alternative at random from those available - you can't do worse.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
