Dropbox: Insecure by design?

A researcher has revealed that it's easy for non-authorized computers to access a user's files. But should you worry?

The fundamental security of the Dropbox cloud storage service has been called into question by a researcher.

Dropbox is a poster boy for the nascent cloud storage field and is among the most popular cloud storage services. It works by adding a special folder to your computer's hard disk. Any files you add are automatically uploaded to Dropbox's cloud storage area, and you can install Dropbox on a variety of computers and mobile devices, thereby syncing files across all their devices. Additionally, Dropbox can act as a cloud backup service if only installed on one computer.

The security issue relates to the Dropbox client program and how it authenticates users, which is to say, how each computer proves to the Dropbox cloud it should have access to a user's files.

Security researcher Derek Newton has discovered that authentication relies on a single, unchanging hash code that identifies the computer -- that is, a steam of hexadecimal characters. Anybody who uncovers this hash, which is stored as plain text on the user's hard disk, can sync a user's Dropbox files on any computer, without a username or password prompt appearing. The user will be unaware of this third-party access, unless they check online to see what computers are accessing their account.

Even if the user changes their password, Newton continues, the hash will continue to work. Therefore, stealing the hash is enough for lifetime access to that user's account unless the hash code is withdrawn, which would involve the user unauthorizing the computer whose hash code has been compromised -- something that's not exactly easy or convenient.

Some security experts suggest that a hash code such as this should be unique for every computer, making it non-portable. This can be done by calculating the code based on a unique aspect of each computer, such as the CPU serial code or the network device's MAC address. This hash would be checked by the Dropbox client against the hardware each time the client started to ensure the computer was genuinely allowed access.

However, such methods of specifically identifying computers cause consternation among some online privacy advocates.

What makes the discovery worse, Newton claims, is that the security loophole appears to be there by design. The Dropbox engineers consider this adequate protection for users.

Dropbox has responded by pointing out that for the attack to work, a hacker would have to gain access to a user's computer. At that point "the security battle is already lost," they say, because the hacker would have access to every file on the computer. They compare it to stealing session cookies from a Web browser in order to impersonate a user, although they add that "there are measures that can be taken to make it more difficult (though not impossible) to gain access...which we'll consider in the future."

Outside of hack attacks, there is massive potential for using the hash code to spy on Dropbox users. Simply access a user's computer when they're not around (maybe while they're grabbing a cup of coffee), steal their Dropbox hash code, and you'll be able to monitor or download what they're adding to and removing from their Dropbox account at any time.

Additionally, hackers who install the likes of Trojans or keyloggers could grab the hash code as part of a broader attack and, if their illicit software is discovered and removed, use it to continue accessing the victim's cloud files.

Although most of us change our online passwords after being hacked, how many realize that resetting Dropbox is also necessary? (Resetting would involve deleting the computer from Dropbox's list of known devices, and adding the same computer again, thereby creating a new hash code; this would probably involve syncing all the files from scratch.)

Whether the flaw is anything to be worried about is a matter of opinion. Newton says the only way to use Dropbox with peace of mind is to manually encrypt any data that's stored there, but that defeats the convenience of being able to drag and drop files into and from the Dropbox folder.

The whole issue shows how cloud software developers often trade convenience for security -- having users log in each time to their Dropbox account at each boot-up would make Dropbox significantly less appealing, but creating persistent hassle-free logins for cloud services is a difficult task. Such issues are yet one more hurdle that cloud services will have to bypass to gain the trust of users.

An interesting discussion of the implications of Newton's discovery can be found in the comments section of his blog posting, where various security experts weigh in with their opinion.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cloud computinginternetstoragedata protectiononline privacystorage accessory

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?