Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Dropbox Responds to Mac 'Security Risk' Accusations [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
As if Microsoft is any more trustworthy. LOL.
Call me insane but what's depicted in this article is exactly the same thing that Dropbox does (article by a Symantec data scientist):
http://www.symantec.com/connect/blogs/mac-os-x-dialog-box-spoofing-believe-me-i-m-system-preferences
http://www.symantec.com/connect/blogs/mac-os-x-dialog-box-spoofing-believe-me-i-m-system-preferences
And this is the reason why this authorization API is now deprecated since OS X 10.7. It can be abused.
But Dropbox does not abuse it. The ability to change the popup message is perfectly valid and part of the intended API. They use their own icon and perfectly explain why the authentication is required.
But we can't know for sure that Dropbox plays nice here, can't we? By the way, "deprecated" isn't the same as "removed". So they might still be using these techniques and I believe that this really is the case given the fact that on macOS Sierra they can't do the same.
But what we know for sure is that Dropbox really does behave like a Trojan after it "gets permission".
What you are saying applies to any app in existence that asks for elevated permissions.
There is no app that details every little part of what the elevated permissions are used for.
In the case of Dropbox, you can argue that it's shady to circumvent standard practices for Accessibility permissions, but like I said previously it's likely part of a UX enhancement rather than nefarious purposes.
The majority of medium to advanced apps on Mac will need to install a helper and all you ever see is "Enter password to install helper tool".
Do you question every single one these apps like you are with Dropbox right now and if not then why?
I'm not trying to defend Dropbox, I'm just trying to point out that your argument "I don't KNOW FOR SURE what it does so it COULD DO ANYTHING" applies to basically any Mac app. So if that's your biggest issue with this, maybe you should stick to closed systems like iOS.
In the case of Dropbox, they have already explained why they require Accessibility access (something to do with badges). Accessibility access isn't exactly an unusual thing to ask for, even simpler apps like screenshot utilities sometimes asks you to give them these permissions.
Yes, basically.
Here is a good article:
http://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/
They did not follow Apple developer protocol, got around it with a hack. They spoof a dialog box requesting User's password, place their app in Accessibility for complete control of the user's Mac, and have a disturbing persistence in reappearing with permissions in Accessibility if the owner attempts to remove it, rather like malware. None of that is on the up & up.
Can someone from Dropbox or a hacker nose around one's computer with this hack? Yes, it is theoretically possible.
I never said it was a popup that could see your password.
It is not using the appropriate box though. It's not asking to be added to the accessibility features for control of the computer. It needs the password to hack its way onto that list.
Why not do it like every other app?
You say that you don't defend them but by saying "Dropbox does not abuse it" proves otherwise especially when you bold it.
As you said, no one can know for sure if that permissions dialog is the real deal or not.
But again, as I already said earlier, what is known for sure is that Dropbox BEHAVES LIKE A TROJAN.
And one more thing that might not be so obvious: how come Dropbox is able to insert its identifier in the Privacy Database?
As far as I know, this is only possible if it has the same access privileges as an Administrator or Super User.
So what I'm saying is that in my opinion, Dropbox really does cache the password and uses it to gain access to root and this thing goes all the way back to number one: in order to cache the password, they must have access to it right? So in order to get the password they spoof the permissions dialog.
Last edited:
Either you trust them or you don't. If you don't, you shouldn't give them any of your files anyway.
Not really. I trust Dropbox's motivations. But if they are opening a security hole to get their job done, that's a problem.
Either you trust them or you don't. If you don't, you shouldn't give them any of your files anyway.
A very good statement. It's also important to note that these hard drive backups in the cloud are such honeypot's for personal details that the 3 letter agencies will have most certainly been trying to actively work with DropBox (the biggest vendor). Most companies will come to the conclusion that it is in their best interest to do so (Apple being a true outlier in this area).
https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
http://arstechnica.com/security/201...-to-make-flawed-crypto-algorithm-the-default/
If you're going to use one of these services, better to use one where they don't have the encryption keys to look at your data on their server and no issues with grabbing too many permissions (JMHO):
https://spideroak.com
After reading this article I took away Dropbox's permission to this feature. But then after logging off and logging back on again, Dropbox restored the permission on its own.
To the uninstall box it goes...
To the uninstall box it goes...
Yes, that persistence is very malware-ish, isn't it.
Besides removing the checkmark in SysPref/Security & Privacy/Accessibility, you have to delete the /library/DropboxHelperTools/ folder, then log out & log back in again. However, you STILL get that annoying popup box requesting your password to which you have to always remember to click "cancel" every time you start up or log in.
So annoying.
OK, so what's the solution for us comparable Luddites? If I'm reading all this right, the issue lies with granting Dropbox access to Accessibility features. Furthermore, it seems like Dropbox works without this access. So the solution is to deny that access. But if you do, Dropbox reinstates it without a by-your-leave. Is that right?
So my question is, short of simply jumping ship on Dropbox (which is hard to do given that a considerable number of applications I use sync to Dropbox, and not to iCloud), is there a way to work it so that Dropbox is denied access to Accessibility and yet still functions?
Or have I got this whole thing wrong?
So my question is, short of simply jumping ship on Dropbox (which is hard to do given that a considerable number of applications I use sync to Dropbox, and not to iCloud), is there a way to work it so that Dropbox is denied access to Accessibility and yet still functions?
Or have I got this whole thing wrong?
I suspect what it's actually doing is setting up a privileged "helper", which is a SUID executable. SUID stands for Set User ID. It is a UNIX configuration bit that allows a program to run with a particular user's permissions, even if another user starts it. The password prompt is the common way to set that up. Many applications that reach particularly deeply into a system have a watchdog to monitor the environment periodically. When it detects changes that would cause the application to misbehave, it uses a SUID executable to reset the environment without user intervention.
Never try to refute a conspiracy theory. This will automatically make you part of the problem.
Yes, just wait. Dropbox and Apple have worked together to find a more appropriate solution and it will be active 'soon'.
This is what you have to do besides unchecking the box, because you're correct, Dropbox will still work without Accessibility permissions:
The first issue is that we do not want anybody to install anything that we do not know about basically bypassing security.
We may give permission to dropbox anyway, however spoofing to get into the heart of macOS security areas is not ok.
Also, say an employee at dropbox decides to "sell" that knowledge we would be in for a rude awakening.
I use dropbox extensively, but I have to say they have a lot of issues.
For example for iOS they have a "recent files" set up which cannot be modified. There is an almost 2 year thread without them doing anything to modify the app.
The fact that they did not admit to the security breach and it's details does not bode well either.
Their business subscription and prices are also not that great.
Apple went somewhat overboard with this. Every time I change a line of code in an AppleScript App that works with other apps, I also have to go back into the security panel, and re-grant access to the Applescript code. It's rather annoying.
I don't really get why Dropbox requires the elevated permissions; Google Drive and Onedrive seem to work just fine without it.
As I said in another thread, I've removed both my computers and phone from Dropbox's devices list and uninstalled the app and associated files.
Didn't kill my account altogether though; let's see if they change their ways in future (though honestly I don't need it as there are other alternatives out there).
As I said in another thread, I've removed both my computers and phone from Dropbox's devices list and uninstalled the app and associated files.
Didn't kill my account altogether though; let's see if they change their ways in future (though honestly I don't need it as there are other alternatives out there).
MS has been around longer and has more to lose for snooping being that they position themselves as a corporation that works closely with companies.