Hi, I just came across this blog post detailing some, shall we say, unorthodox ways Dropbox is circumventing OS X security features and tricking users into sharing their admin password: http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/ I found the same happened on my system (OS X 10.11.6), Dropbox v9.v.49). Can you explain why you do this?

Tricking users into giving up their admin password is unethical hacking. Dropbox needs to respond and remove this hack.

The thing, Rich, is that there is absolutely no reason for Dropbox not to go through the regular security channels already in OS X. They could just as easily have used Apples APIs to do the same thing instead of doing something that is essentially a "hack". They create their own permission window which gives the illusion that it's OS X asking you, not Dropbox. It's deceitful and extremely weird.

There is no excuse for dropbox to re-add itself, especially after you removed the application. They are hacking users and hurting them.

I've never heard of Project Harmony and don't use integration with MS Office, so I guess that's why I haven't had a problem. I see that Dropbox has created a help article about this. Still, the approach doesn't sit well with me. I can understand that certain elevated permissions are required for some features. Dropbox is the kind of tool that needs to be integrated into the OS to provide all of the capabilities that it does. The way it goes about this is what concerns me. It needs to be clearer about what it needs permissions for. For example, I don't recall seeing any notice that the app would automatically update itself. Every other app I use that has an autoupdate function (including macOS) asks if I want auto updates. There are very good reasons to give the user control over this function (being on a low bandwidth connection, needing to test software changes before using them in production, etc.). Also, if accessibility is only required for MS Office integration, ask if I want to use it rather than installing it and changing accessibility settings. There could be very good reasons why I wouldn't want the integration. Dropbox also should not give itself the ability to make changes to the system that require elevated privileges without prompting. If I remove a feature like accessibility, Dropbox should not add it back without asking permission. What if a hacker figures out how to hack the Dropbox client into letting malware have the same privileges? This may be a very rare scenario, but how do the ease of use benefits outweigh the security needs? If Dropbox needs access that I took away, it can detect it and prompt me to allow it again, warning me what will break and, if appropriate, letting me keep it off permanently.

You better have a really good [removed by moderator] explanation for doing this, Dropbox.. I don't pay you to steal my login password.

Why does Dropbox ask for your computer password

35 Replies

Replies have been turned off for this discussion

Leon N.
Helpful | Level 5
10 years ago
Tricking users into giving up their admin password is unethical hacking. Dropbox needs to respond and remove this hack.
Brandon A.2
New member | Level 1
10 years ago
+1
Kim V.4
New member | Level 1
10 years ago
You better have a really good [removed by moderator] explanation for doing this, Dropbox.. I don't pay you to steal my login password.
Rich
Super User II
10 years ago
Kim,

Please watch your language on these public forums or your posts could be removed or your account suspended. Your post has been edited. Thank you.
Rich
Super User II
10 years ago
Cross-linking for reference:

https://www.dropboxforum.com/t5/Installs-integrations/MacOS-X-Security-Is-it-normal-to-allow-Dropbox-app-quot-to/m-p/60167

https://www.dropboxforum.com/t5/Dropbox/Security-risk-in-OS-X-Client/idi-p/187402

https://www.dropboxforum.com/t5/Dropbox/How-can-I-disable-the-Dropbox-request-for-my-computer-password/idi-p/161658

This reply will be updated with other posts as they are closed and redirected here.

[Mod update December 11, 2019: updated and removed old links]
John B.194
New member | Level 2
10 years ago
A person claiming to be a dropbox employee responded to this on the original post downplaying the thing. I think an official statement would be nice.

https://news.ycombinator.com/item?id=12463338
Leon N.
Helpful | Level 5
10 years ago
I don't believe the "employee" who responded. One of the things he said was accessibility is required for badges. I removed Dropbox's accessibility access, but the badges show up just fine. I've not noticed any functionality missing.
Rich
Super User II
10 years ago
I removed Dropbox's accessibility access, but the badges show up just fine. I've not noticed any functionality missing.

The badge appeared, but did you test its full functionality? If not, then it wasn't a valid test of the accessibility requirements.

I'm not arguing for or against either side. I'm only stating that simply seeing the badge show up is not a valid indicator that it's working properly.
Leon N.
Helpful | Level 5
10 years ago
Good point. One feature is not a complete test. However, I continue to use Dropbox for syncing, app access (i.e. native API access from the app) and finder/pathfinder integration all seem to work fine. Anything else I should test?

BTW, it was stated by the person claiming to be a Dropbox employee that accessibility was needed for badges. It seems reasonable to expect Dropbox to explain what access is truly required, why and how this unusual authentication process works.
Kim V.4
New member | Level 1
10 years ago
The thing, Rich, is that there is absolutely no reason for Dropbox not to go through the regular security channels already in OS X. They could just as easily have used Apples APIs to do the same thing instead of doing something that is essentially a "hack". They create their own permission window which gives the illusion that it's OS X asking you, not Dropbox. It's deceitful and extremely weird.