"WTF were they thinking?" +100 On Wed, Apr 13, 2011 at 7:39 AM, Angus Scott-Fleming <angu...@geoapps.com>wrote:
> Don't know if any of you (or your clients) use Dropbox (I do), but if you > do, > you should probably read this and pass it on: > > ============= Included Stuff Follows ============= > Dropbox authentication: insecure by design > > ... > > After some testing (modification of data within the config table, etc) > it > became clear that the Dropbox client uses only the host_id to > authenticate. Here´s the problem: the config.db file is completely > portable and is *not* tied to the system in any way. This means that if > you gain access to a person´s config.db file (or just the host_id), you > gain complete access to the person´s Dropbox until such time that the > person removes the host from the list of linked devices via the Dropbox > web interface. Taking the config.db file, copying it onto another system > (you may need to modify the dropbox_path, to a valid path), and then > starting the Dropbox client immediately joins that system into the > synchronization group without notifying the authorized user, prompting > for > credentials, or even getting added to the list of linked devices within > your Dropbox account (even though the new system has a completely > different name) - this appears to be by design. Additionally, the > host_id > is still valid even after the user changes their Dropbox password (thus > a > standard remediation step of changing credentials does not resolve this > issue). > > ... > > ============= Included Stuff Ends ============= > Seen here: > http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/ > http://tinyurl.com/3b9xdvv > > WTF were they thinking? > > Angus > > -- > Angus Scott-Fleming > GeoApps, Tucson, Arizona > 1-520-895-3270 > Security Blog: http://geoapps.com/ > > > > -- > Angus Scott-Fleming > GeoApps, Tucson, Arizona > 1-520-290-5038 > Security Blog: http://geoapps.com/ > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin