The security issue relates to the Dropbox client program and how it authenticates users, which is to say, how each computer proves to the Dropbox cloud it should have access to a user’s files.
Security researcher Derek Newton has discovered that authentication relies on a single, unchanging hash code that identifies the computer–that is, a steam of hexadecimal characters. Anybody who uncovers this hash, which is stored as plain text on the user’s hard disk, can sync a user’s Dropbox files on any computer, without a username or password prompt appearing. The user will be unaware of this third-party access, unless they check online to see what computers are accessing their account.
Even if the user changes their password, Newton continues, the hash will continue to work. Therefore, stealing the hash is enough for lifetime access to that user’s account unless the hash code is withdrawn, which would involve the user unauthorizing the computer whose hash code has been compromised–something that’s not exactly easy or convenient.
Some security experts suggest that a hash code such as this should be unique for every computer, making it non-portable. This can be done by calculating the code based on a unique aspect of each computer, such as the CPU serial code or the network device’s MAC address. This hash would be checked by the Dropbox client against the hardware each time the client started to ensure the computer was genuinely allowed access.
However, such methods of specifically identifying computers cause consternation among some online privacy advocates.
What makes the discovery worse, Newton claims, is that the security loophole appears to be there by design. The Dropbox engineers consider this adequate protection for users.
Dropbox has responded by pointing out that for the attack to work, a hacker would have to gain access to a user’s computer. At that point “the security battle is already lost,” they say, because the hacker would have access to every file on the computer. They compare it to stealing session cookies from a Web browser in order to impersonate a user, although they add that “there are measures that can be taken to make it more difficult (though not impossible) to gain access…which we’ll consider in the future.”
Outside of hack attacks, there is massive potential for using the hash code to spy on Dropbox users. Simply access a user’s computer when they’re not around (maybe while they’re grabbing a cup of coffee), steal their Dropbox hash code, and you’ll be able to monitor or download what they’re adding to and removing from their Dropbox account at any time.
Additionally, hackers who install the likes of Trojans or keyloggers could grab the hash code as part of a broader attack and, if their illicit software is discovered and removed, use it to continue accessing the victim’s cloud files.
Although most of us change our online passwords after being hacked, how many realize that resetting Dropbox is also necessary? (Resetting would involve deleting the computer from Dropbox’s list of known devices, and adding the same computer again, thereby creating a new hash code; this would probably involve syncing all the files from scratch.)
Whether the flaw is anything to be worried about is a matter of opinion. Newton says the only way to use Dropbox with peace of mind is to manually encrypt any data that’s stored there, but that defeats the convenience of being able to drag and drop files into and from the Dropbox folder.
The whole issue shows how cloud software developers often trade convenience for security–having users log in each time to their Dropbox account at each boot-up would make Dropbox significantly less appealing, but creating persistent hassle-free logins for cloud services is a difficult task. Such issues are yet one more hurdle that cloud services will have to bypass to gain the trust of users.