OT: Dropbox authentication: insecure by design

Tue, 12 Apr 2011 22:39:55 -0700 

Don't know if any of you (or your clients) use Dropbox (I do), but if you do, 
you should probably read this and pass it on:  

============= Included Stuff Follows =============
Dropbox authentication: insecure by design

    ...

    After some testing (modification of data within the config table, etc) it 
    became clear that the Dropbox client uses only the host_id to 
    authenticate. Here´s the problem: the config.db file is completely 
    portable and is *not* tied to the system in any way. This means that if 
    you gain access to a person´s config.db file (or just the host_id), you 
    gain complete access to the person´s Dropbox until such time that the 
    person removes the host from the list of linked devices via the Dropbox 
    web interface. Taking the config.db file, copying it onto another system 
    (you may need to modify the dropbox_path, to a valid path), and then 
    starting the Dropbox client immediately joins that system into the 
    synchronization group without notifying the authorized user, prompting for 
    credentials, or even getting added to the list of linked devices within 
    your Dropbox account (even though the new system has a completely 
    different name) - this appears to be by design.  Additionally, the host_id 
    is still valid even after the user changes their Dropbox password (thus a 
    standard remediation step of changing credentials does not resolve this 
    issue).

    ...

============= Included Stuff Ends =============
Seen here:
    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
    http://tinyurl.com/3b9xdvv

WTF were they thinking?

Angus

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-895-3270
Security Blog: http://geoapps.com/


  
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Reply via email to