Why So Much Telemetry ?

Hello,

I am a Chrome Engineer, working for the Chrome Security team.  In Chrome 85, a security feature called CORS-for-content-scripts has shipped - after Chrome 85 content scripts can no longer bypass CORS, even if an extension has permission to the target host.  The Chrome 85 changes have been announced in March 2020 on chromium-extensions@ discussion list, as well as in Chrome Enterprise Release notes.

The "Dropbox for GMail" Chrome Extension has been identified as affected by Chrome telemetry in earlier Chrome versions.  An email notification to CWS@dropbox.com (the email registered in Chrome Web Store) was sent out in June 2020.  To avoid disruptions, the extension has been put on a temporary "allowlist" that exempts the extension from Chrome 85 changes (as we've announced earlier, the "allowlist" is being removed in Chrome 87).  Our manual testing indicates that the "Dropbox for GMail" Chrome Extension has not yet migrated to the new security model and will stop working in Chrome 87 (starting with version 87.0.4266.0, currently in the Chrome Canary channel).

Please migrate the "Dropbox for GMail" Chrome Extension to the new security model as soon as possible.  The tentative Chrome 87 release schedule is to ship to the Beta channel on 2020-10-15 and to start rolling out the Stable channel on 2020-11-17.  More details about the changes and migration guidelines are available at https://www.chromium.org/Home/chromium-security/extension-content-script-fetches.

Best regards,

Lukasz Anforowicz

Hi anforowicz; thanks for the extensive report and welcome to the Dropbox Community!

As I'd like to get this under the attention of one of our experts, would it be OK if I used the email address that's connected to your profile here on our Community to further investigate? 

Thanks a bunch, Lukasz. 

RE: would it be OK if I used the email address that's connected to your profile here on our Community to further investigate

Sure, that should be totally ok.  Thank you for asking.

-Lukasz

Thanks for the swift response, Lukasz. 

I just sent you an email so we can investigate further. 

Whenever you get the chance, please take a look at your inbox for my message and we'll take it from there.

Hi Threlly; welcome to our Community!

I'm not aware of this exact domain and as a matter of fact is not listed within our official domains. Can you let me know some additional information about the device you're seeing this on, such as if you're running the desktop application and/or if you're using a web browser to access a Dropbox account etc.? 

Regarding your last queries, I'd suggest getting in touch with the 3rd party app you mentioned directly as they might have more information. 

In any case, please let me know what you find, Threlly. 

Hi,

I'm using the Windows 10 desktop app v106.4.368.

I rarely access dropbox in the browser.

Even if I quit the client the DropBox service (DbxSvc) remains active in my task list, as does "DropBox Update 32bit".

Gary

The traceroute site interpreted the url as telemetry.v.dropbox.com, so I tried another site.

The final IP, 162.125.19.9, is owned by DropBox.

Hi Walter,

All gone quiet.

Dropbox is still siphoning unknown amounts of data from my PC to an address that Dropbox own but have not added to the list of official addresses.

Even though I have turned off telemetry & metadata being sent back to Dropbox in my settings, this is happening in the background with no control.

I'm based in the UK, so for now, still in the EU. This looks like it circumvents GDPR rules in Europe.

Do you think anybody from DropBox will respond ?

Best,

Gary

Thanks for the nudge on this one, Gary.

I've sent you a ticket to the email address that's associated with your Community's profile so we can investigate further.

Whenever you get the chance, please take a look at your inbox and we'll take it from there.