Dropbox big fail: authentication insecure by design

dropboxI remember spending much time discussing about Dropbox and similar systems to store and synchronise data. I was always against using such systems because of the intrinsic lack of safety moving sensible data on 3rd party systems and I was replied every single time that encryption is the key and “I don’t see how people could read your data” and so on…

At the end, bad news arrived for Dropbox and we are talking about insecure authentication by design.

Derek Newton, a Senior Security Engineer, was investigating the inner workings of several of the popular file synchronisation tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools.

Being Dropbox so popular he decided to start with it and, following a few steps you can find on his article, he managed to find out where the systems fails.

Basically Mr Newton found out that Dropbox uses just the host_id value to authenticate and stores info just in the file config.db. The problem is that such file is completely portable and is NOT tied to the system in any way.

That’s it!

“Taking the config.db file, copying it onto another system (you may need to modify the Dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronisation group without notifying the authorised user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design.  Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).”

There’s no need of a big effort to find out implications of this: it should be enough thinking about a malware that simply filtrate the Dropbox config.db files to “interested” parties.

Hopefully Dropbox will quickly fix this and contact all users to update all the systems.

Of course this is just one of the softwares Mr Newton  was studying but for sure this makes me even less confident in using such synchronisation tools.

2 Responses to “Dropbox big fail: authentication insecure by design”

  1. Ivan De Marino said:

    Apr 09, 11 at 19:25

    That is quite scary!

    With a simple USB-stick attack, people could steal the config.db file and than use it on their own machines.

    It’s true: the only way to secure your machine, is to keep it physically isolated and disconnected from the network 😛

  2. Ugo said:

    Apr 10, 11 at 00:39

    Now I’m wondering if someone was already aware of this weakness and if something like a malware is already around to take advantage of such poor security measures…