Stuart Breckenridge

Dropbox' Dirty Little Security Hack

philastokes:

If you have Dropbox installed, take a look at System Preferences > Security & Privacy > Accessibility tab. Notice something? Ever wondered how it got in there? Do you think you might have put that in there yourself after Dropbox asked you for permission to control the computer?

[…]

There’s at least three reasons why it matters. It matters first and foremost because Dropbox didn’t ask for permission to take control of your computer. What does ‘take control’ mean here? It means to literally do what you can do in the desktop: click buttons, menus, launch apps, delete files… . There’s a reason why apps in that list have to ask for permission and why it takes a password and explicit user permission to get in there: it’s a security risk.

[…]

Moreover, Dropbox is either clearly storing your Admin password in its own caches (very bad) or giving itself complete root privileges (also very bad); otherwise, it would have to ask you for the password again after you delete it from the list of apps allowed Accessibility privileges. This strikes me as not only underhand (because there’s no indication that it’s going to assume that kind of control) but also over the top.

It’s quite shocking that Dropbox would do this. It makes me want to move over to iCloud Drive. (Read the followup post to understand exactly how Dropbox are hacking their way around Apple’s security.)


— Supported by —