Dropbox Security Flaw

Read about it here. I try not to republish content, but the pertinent bit is this:

Newton’s concept, tested on a Windows machine, uses Dropbox’s own configuration files; configuration data, file/directory listings, hashes which are stored in numerous SQLite database files located in %APPDATA%\Dropbox. Inside one file lies a database row containing a users “host_id”, which is used to authenticate each individual user.
Modifying this file and changing the host_id to that of another Dropbox user automatically authenticates the account, providing complete access to that person Dropbox until the user realises that there is a new computer in the “Linked Devices” section of the Dropbox website.

As you should Dropbox or no, encrypt sensitive data with an out of band key (password/phrase/yubikey/token).

Personally, I agree with Dropbox’s statement that if an attacker was able to gain access to your local files, that gaining access to the dropbox’d files is already a lost battle. However, gaining access to the dropbox account without a password is where I have issue. In either regard, I will continue to promote dropbox as the best cloud based replicator out there.

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>