Dropbox experiment with update to solve security vulnerability

The developers of Dropbox have published an experimental update 1.2.0 for Windows, Mac OS X and Linux to solve the recently reported security problem. Unauthorised parties could gain access to the online storage service, and hence to the files stored there, without being noticed simply by copying the configuration file to another system.

Once the configuration file has been stolen, changing your password no longer helps, as security expert Derek Newton discovered. Newton found that the configuration file config.db is not associated to the system and can be transferred to any other system running the Dropbox client software. A possible scenario exploiting the problem might see a Trojan copying the file and then silently getting access anytime to the files stored in Dropbox.

The update contains changes which should prevent attackers from getting access to the service by just copying the file. Version 1.2.0 also has a new, encrypted format for the local SQLite database to prevent unauthorised access to content. The developers say that the change means that some applications with Dropbox support that "incorrectly relied on the old database format", such as 1Password and KFilebox, will no longer work.

The developers note that they will be releasing updated versions over the next few weeks as they check the stability of the updates before making it the official version. Users who want to test the experimental update should make a backup of the files in their Dropbox folder first.

(crve)