Dropbox 'Authentication' Security Flaw Discovered

Dropbox, appears to has a major security flaw in it that could expose your files to everyone on the Internet.According to security specialist Derek Newton, the issue stems from the fact that the tool uses a simple configuration file to link all of the Dropbox machines together. The file, config.db, is a small table that […]

Dropbox, appears to has a major security flaw in it that could expose your files to everyone on the Internet.

According to security specialist Derek Newton, the issue stems from the fact that the tool uses a simple configuration file to link all of the Dropbox machines together. The file, config.db, is a small table that contains only three fields: email, dropbox_path, and host_id. Here's the problem:

"since the config.db file is completely portable and is *not* tied to the system in any way. This means that if you gain access to a person's config.db file (or just the host_id), you gain complete access to the person's Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) -- this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue)."

Here's what can you do to protect yourself and/or your organization?

  1. Don't use Dropbox and/or allow your users to use Dropbox.