Dropbox Responds to Mac 'Security Risk' Accusations [Updated]

[lrucker]

Except, if you read the blog, it's inherently clear that Dropbox spoofed the Apple password dialogue box. So they're still not owning up to it. They say it's an Apple OSX box thing, and while it's probably true that Dropbox doesn't see or capture the password you enter, it remains clear that the dialogue box is not really an Apple one.

The evidence in the original article was making invalid assumptions; the extra space is actually evidence that this is probably a real one. The way it works, you provide any string you want, and Apple appends " Type your password to allow this." with the extra space, because it assumes your string doesn't end with a space. The app I worked on had a long string that would've looked better with a CR, but it looked even worse with that extra space. If you have this dialog up you can select the entire section of bold text, indicating it's all in the same text field instead of being two misaligned ones.

So the first sentence is from Dropbox, explaining the odd wording, but the rest of it looks Apple standard. Not that some particularly attentive spoofer couldn't have put a space in to make it convincing to people who know all the quirks! If I had a VM handy I'd try installing it and then run Sample Process to be sure.

 

[Tech198]

Reading the article, on one hand can be just a genuine dialog, since :-
a) why would Apple even lie to customer when asked from a 'security perspective' ? and
b) the miss-leading "linkage" between the accessibility and the popup, "automatically" means its phish attempt ?

 

[CarlJ]

If that is true, why don't other apps do this more ?

Note that I said nothing about the quality, appearance, or effectiveness of said fake dialog box. I was more stipulating that something was likely possible in that regard; the entire point of my comment was contained after the first sentence you quote. Many programs that need access to system resources ask for admin access with an official Apple-supplied dialog box at initial startup and use this to endow a helper program with permanent root access. This is not a new thing.

 

[Peter Maurer]

Considering this, why does Apple allow the alternate path of escalation that DB used?

I have no idea what's going on inside Apple, so I don't know. If I had to guess, I'd say they simply hadn't thought of the possibility.

And realistically speaking, you probably can't (and shouldn't) make a system 100% immune to what a user with an admin password wants it to do. There are a million valid reasons to tinker with your own Mac, after all. Personally, I wouldn't like it if macOS were totally locked down.

So to me, this is more about trust (in Dropbox's ability/willingness to use the right tools for the job) than about a vulnerability that needs to be fixed.

 

[CarlJ]

So to me, this is more about trust (in Dropbox's ability/willingness to use the right tools for the job) than about a vulnerability that needs to be fixed.

This. You shouldn't be typing in admin credentials merely "because the system or something asked for them", you should be thinking critically about what program is asking for special permissions and why, and how much you trust it. When that box appears, the system is asking, whether explicit or implied, "do you trust this program to muck about with your system?"

If some random stranger knocked on your front door and asked for your car keys, would you just hand them over? No. Then why hand the keys to your computer over to some random program without considering the ramifications? That doesn't mean you've read every line of the source code, at this point it's more about your notion of the reputation and track record of the developer of the app in question, with substantial consideration given to the path the program took to reach you (download only from Apple or from original trusted developer's sites).

 

[997440]

I have no idea what's going on inside Apple, so I don't know. If I had to guess, I'd say they simply hadn't thought of the possibility.

And realistically speaking, you probably can't (and shouldn't) make a system 100% immune to what a user with an admin password wants it to do. There are a million valid reasons to tinker with your own Mac, after all. Personally, I wouldn't like it if macOS were totally locked down.

So to me, this is more about trust (in Dropbox's ability/willingness to use the right tools for the job) than about a vulnerability that needs to be fixed.

Thanks for the input. I think your guess "I'd say they simply hadn't thought of the possibility" is possible. But I would think that an escalation of privilege, specifically through the means DB used, would've been evident during testing. I know, you can't catch everything. Hopefully in the future, Apple will close this pathway. From a security standpoint, I think best practice should be a notification and a mandatory user deliberate action, as you described earlier.

Regarding this incident, from a user privilege perspective, I don't want the system locked down further.
[doublepost=1473806751][/doublepost]

This. You shouldn't be typing in admin credentials merely "because the system or something asked for them", you should be thinking critically about what program is asking for special permissions and why, and how much you trust it. When that box appears, the system is asking, whether explicit or implied, "do you trust this program to muck about with your system?"

If some random stranger knocked on your front door and asked for your car keys, would you just hand them over? No. Then why hand the keys to your computer over to some random program without considering the ramifications? That doesn't mean you've read every line of the source code, at this point it's more about your notion of the reputation and track record of the developer of the app in question, with substantial consideration given to the path the program took to reach you (download only from Apple or from original trusted developer's sites).

(Bold by me.)
You're absolutely right. The bold section -- Not to beat a dead horse but this is where DB failed. A reputation that includes trust is earned. They knew they were using tools that weren't the norm. Maybe there's good reasons for it. If there are, I haven't read an explanation. Full disclosure on their part should've been an easy decision.

 

[Tech198]

True, i grant that the system is "asking" you, but try telling Windows people this ?

In anyway, since Dropbox is denying this obvious issue, maybie it's time to over to icloud,.. I was looking at this anyway, so perhaps its now time

The correct dialog from OS X is "asking to make changes" it is NOT "<app name> wants to work properly" so, ya i agree with all of this.. Just had to see proof of it for myself :, but as usual, MR is right. I'm one tough nut to crack, but u can see why.

 

[photoj2754]

I've been weening myself off of dropbox, I think its time, to avoid this app, given the security risks it exposes on my system

So this was my bottom line question: safest to just delete Dropbox, especially if you don't use it at all, to be safe? Thanks.

 

[CarlJ]

In anyway, since Dropbox is denying this obvious issue, maybie it's time to over to icloud,.. I was looking at this anyway, so perhaps its now time

What obvious issue is Dropbox denying? That they have a fake permissions dialog? They don't have one. A conspiracy-minded blogger has asserted that they do. He's wrong. Why do you trust his misunderstandings but you don't trust Dropbox. Also, why do you keep denying that you rob banks?
[doublepost=1473812640][/doublepost]

So this was my bottom line question: safest to just delete Dropbox, especially if you don't use it at all, to be safe? Thanks.

It's safest to erase and donate your computer, phone, tablet, and any other networked devices and stay far away from the Internet. If your only criteria is safety.

 

[wilsonlaidlaw]

Dropbox asks us to trust them. When software and cloud companies have a history of security incompetence and sloppy procedures, why would we? It is just like a politician saying "trust me" but you know they are lying because of their "tell" - their lips are moving. I am horrified that Dropbox modified my privacy settings without either informing me or asking my permission (save perhaps on the tiny print on page 2,369 of their T&C's). They then start bleating self justifications, when caught in the act, when any sensible company knows it should be grovelling and sending an email of explanation and apology to each of its users. I for one have disabled system access from Dropbox. If it means Dropbox does not work as well pro-tem, that is something I am prepared to live with, to secure my Macs.

 

[grahamperrin]

somewhere in my home directory

The company has a history of shocking carelessness.

Hands up: who remembers that in the past, Dropbox defaulted to using
~/Dropbox
– at the root of the user's home directory – without applying proper restrictions?

 

[ignatius345]

Took me ages to get rid of that "Move To Dropbox" contextual that you're never asked can they install—to which we'd say no.

How did you get rid of it? It's driving me nuts and I want it gone. Thanks!
[doublepost=1475549486][/doublepost]

The company has a history of shocking carelessness.

Hands up: who remembers that in the past, Dropbox defaulted to using
~/Dropbox
– at the root of the user's home directory – without applying proper restrictions?

That was a nasty shock, realizing that everyone on your machine had direct access to everything in your Dropbox folder. Thing was, people were claiming that those were the default permissions, which sounded just stupid. Even if they were, who in their right mind would expect that Dropbox would create a folder accessible to everyone with an account on that machine?

 

[Shofar]

How did you get rid of it? It's driving me nuts and I want it gone. Thanks!

If you have the Dropbox app launched and the icon at the top of your screen, click on it and go into Preferences and click General, then disable Finder Integration.

At least that's the way I got rid of the contextual menu.

 

[ignatius345]

If you have the Dropbox app launched and the icon at the top of your screen, click on it and go into Preferences and click General, then disable Finder Integration.

At least that's the way I got rid of the contextual menu.

Ah, I'd do that but I do like to have the badges that tell me stuff is synced (or not). Thanks tho!

 

[Shofar]

Ah, I'd do that but I do like to have the badges that tell me stuff is synced (or not). Thanks tho!

I've not had the green ticks by folders and files, or other badges, for a long time. And, I kid you not, I knew there was something missing and until your post couldn't work out what it was!

The joy of ageing!!!

 

[icarus123]

Hear me out.

I stumbled onto this topic trying to research a WAKE FROM SLEEP issue (https://discussions.apple.com/thread/7514234?language=en) with my brand new factory built, apple supplied Mac Mini running El Capitan. The thing behaved fine for the first few days until I found that B/tooth and USB wouldn't wake it up from sleep. After touching the power button I found that both USB and b/tooth were disabled (iPhone wouldn't begin charging, bluetooth icon had a line through it) but only after the mini went into deep sleep. Hard power button press was my only option.

I contacted apple support, reset SVRAM, NVRAM, deleted hibernation files, removed all other peripherals, only used genuine apple keyboard and mouse...the whole diagnostic works.

Then I traced my way back to original box opening by removing any non-apple apps that I had installed. Eventually I got to dropbox and read an article about disabling dropbox finder integration, as well as disabling dropbox in EXTENSIONS. This brought immediate success. My keyboard or mouse would wake from normal sleep or deep sleep, and USB ports reactivated as my iPhone registered the charge icon. Something about dropbox was preventing bluetooth and usb from waking.

A month or so went by without issue but recently the issue returned. I noticed that dropbox had updated itself. It hadn't re-ticked finder integration or the EXTENSION but I suspected something amiss. I tried stopping dropbox from running on startup. No change. Low and behold when I read this article then disabled the "allow the apps below to control your computer" and let it go into deep sleep, all was back to normal. Until the next reboot of course when that box re-ticked itself.

So now I'm paying for a service which creates a sketchy security issue on my computer, and affects its normal operation. Its going to be hard to stay with them

 

[Shofar]

I'm only a light user, so don't rely heavily on something like Dropbox.

For what it's worth - after reading about the 'implications' of Project Infinite - I completely eradicated Dropbox from my system and changed over to Sync.com.

Maybe a bit paranoid but didn't like the sound of where Dropbox is going with this.

 

[MacBH928]

So what happens if I deny them accessibility?

 

[Osamede]

It works anyway.