Security issue found in Dropbox client
Security expert Derek Newton considers using the popular Dropbox online service to be a security risk. The service stores files on the web and permanently synchronises them between different computers. This is done using client software for Windows, Linux and Mac OS, and mobile systems such as iOS and Android. The freemium online storage service is very popular with private as well as corporate users.
When examining the Windows client, Newton discovered a serious security hole in the service's handling of the Dropbox account access data. Credentials only need to be entered once, during installation. The installation process generates an authentication token, the host_id, which is subsequently stored in the
config.db file in the
%APPDATA%\Dropbox directory on a local hard disk.
Newton says that the host_id isn't tied to the system it was generated on and can, therefore, be transferred to any other system. This potentially allows a trojan to extract the config.db file and obtain unauthorised access to a user's stored Dropbox files. Such accesses don't register as additional systems because apparently when the new, unauthorised system connects to the Dropbox service, the host_id makes it appear to be the original system. There is no prompting for credentials and no machines are added to the list of systems that Dropbox is synchronising.
Changing passwords, the usual way of preventing users from continued access, does not work, as the host_id remains valid after the change. The host_id can be revoked by going to www.dropbox.com/account and selecting "My Computers" and "Unlink" for any compromised system.
Newton thinks that the security hole is caused by a design flaw in the Windows client. It remains unclear whether the software for other operating systems is also affected, but this seems possible because they share the same architecture. Newton recommends that corporate users refrain from using Dropbox for the time being. The expert advises that strong encryption should be used to protect sensitive data stored in a Dropbox, that users should remove any old systems from their list of authorised systems, and that care should be taken to prevent potential intruders from accessing the config.db file.
In a discussion on Dropbox's forums, the company's CTO, Arash Ferdowsi, said he did not agree with Newton's assessment of the issue. He points out that if someone has gained access to the system, either physically or by use of a virus or trojan, "the security battle is over" and that all the system's data is vulnerable. Ferdowsi does though ackowledge that it can improve how the authentication token is protected. He says the company will "think carefully about possible security improvements" and introduce them in newer versions of the Dropbox client. He mentions more complex tokens, better file permissions and improved obfuscation of where the id is held. One option Dropbox should consider is generating the host_id token based on some identifier tied to the physical system to stop it being so portable.