cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Create, upload, and share

Find help to solve issues with creating, uploading, and sharing files and folders in Dropbox. Get support and advice from the Dropbox Community.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: "Dropbox’s dirty little security hack"

Why does Dropbox ask for your computer password

Florian A.1
New member | Level 1

Hi, I just came across this blog post detailing some, shall we say, unorthodox ways Dropbox is circumventing OS X security features and tricking users into sharing their admin password:

http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/

I found the same happened on my system (OS X 10.11.6), Dropbox v9.v.49). Can you explain why you do this?

35 Replies 35

Kim V.4
New member | Level 1

The thing, Rich, is that there is absolutely no reason for Dropbox not to go through the regular security channels already in OS X. They could just as easily have used Apples APIs to do the same thing instead of doing something that is essentially a "hack". They create their own permission window which gives the illusion that it's OS X asking you, not Dropbox. It's deceitful and extremely weird.

Razvan Boxifier
Collaborator | Level 10

@Leon N: did you test for the Dropbox Badge (Project Harmony - Microsoft Office integration) feature or the sync badges in Finder? Dropbox uses the accesibility features of the OS for the "Project Harmony" feature.

Rich
Super User II

They could just as easily have used Apples APIs

According to the Dropboxer that posted on the other site, they did use Apple's API. Emphasis mine.

We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

Someone else then commented:

To clarify for others: In /Library/DropboxHelperTools, you'll find a folder for each user full of setuid tools which run as root and do various privileged things. I assume that the client is presenting the normal OS X "ask for elevated access" UI and then using that elevated access to configure and install these. (I don't work for Dropbox or anything; I've just been poking around.)

Rich
Super User II

Anything else I should test?

Razvan's got it. It's not the green check or blue sync badges that go over your files. It's the Dropbox Badge feature formerly known as Project Harmony that uses accessibility features. This is used to notify you when another user opens a file that you're in, updates your document to the latest version when someone else makes a change to it, etc.

Marco P.10
New member | Level 1

There is no excuse for dropbox to re-add itself, especially after you removed the application. They are hacking users and hurting them.

Sebastian S.13
Explorer | Level 4

Exactly! When the user removes the permission, DB should at least ask for it again.  And if it's not given (which you can only do on first install or by following the instructions of the author of the post), DB shouldn't be asking for it every time the system reboots, specially when everything works just fine without those permissions.

Looking forward for this "feature" to be removed in the near future.  In the meantime my files go somewhere else.

Leon N.
Helpful | Level 5

I've never heard of Project Harmony and don't use integration with MS Office, so I guess that's why I haven't had a problem.

I see that Dropbox has created a help article about this. Still, the approach doesn't sit well with me. I can understand that certain elevated permissions are required for some features. Dropbox is the kind of tool that needs to be integrated into the OS to provide all of the capabilities that it does. The way it goes about this is what concerns me.

It needs to be clearer about what it needs permissions for. For example, I don't recall seeing any notice that the app would automatically update itself. Every other app I use that has an autoupdate function (including macOS) asks if I want auto updates. There are very good reasons to give the user control over this function (being on a low bandwidth connection, needing to test software changes before using them in production, etc.). Also, if accessibility is only required for MS Office integration, ask if I want to use it rather than installing it and changing accessibility settings. There could be very good reasons why I wouldn't want the integration.

Dropbox also should not give itself the ability to make changes to the system that require elevated privileges without prompting. If I remove a feature like accessibility, Dropbox should not add it back without asking permission. What if a hacker figures out how to hack the Dropbox client into letting malware have the same privileges? This may be a very rare scenario, but how do the ease of use benefits outweigh the security needs? If Dropbox needs access that I took away, it can detect it and prompt me to allow it again, warning me what will break and, if appropriate, letting me keep it off permanently.

Daniel S.48
New member | Level 2

I don't have Office.  And even if I did, I wouldn't care about the integration.  Dropbox should prompt users specifically for the office integration bit, and if they consent should then do the admin prompt and set up the Accessibility insertion.  I still think it's a bad idea, but there's no better solution for cross-app control like that.

At the very least, Dropbox should absolutely not be so pernicious about virally restoring its Accessibility permissions.  Like… literally checksumming the SQL injection executable and overwriting it on startup is insane.  The only way that executable could get overwritten (but not removed) to something other than the what Dropbox created is if a user is actively trying to prevent Dropbox from doing its Accessibility tricks.

I would be a lot more OK with this situation if it were possible to opt out as a user without generating admin prompts every time I start Dropbox.  I mean, it's still a massive breach of user trust, but at least it would be a tenable situation.  But as things are…  Dropbox is basically acting as a virus which hasn't yet done anything with its control of my computer.

Pad 4.
New member | Level 1

"Trust is the foundation of our relationship with hundreds of millions of people and businesses around the world."

https://blogs.dropbox.com/dropbox/2016/06/transparency-report-jul-dec-2015/ 

 

I would like a statement from Dropbox CEO accepting how seriously this behaviour is a betrayal of trust, explaining how Dropbox came to decide that this working in this way was acceptable, and what changes are going to be made to stop similar choices being made in the future.

Need more support?