Dropbox: Insecure by design?

A researcher has revealed that it's easy for non-authorized computers to access a user's files. But should you worry?

The fundamental security of the Dropbox cloud storage service has been called into question by a researcher.

Dropbox is a poster boy for the nascent cloud storage field and is among the most popular cloud storage services. It works by adding a special folder to your computer's hard disk. Any files you add are automatically uploaded to Dropbox's cloud storage area, and you can install Dropbox on a variety of computers and mobile devices, thereby syncing files across all their devices. Additionally, Dropbox can act as a cloud backup service if only installed on one computer.

The security issue relates to the Dropbox client program and how it authenticates users, which is to say, how each computer proves to the Dropbox cloud it should have access to a user's files.

Security researcher Derek Newton has discovered that authentication relies on a single, unchanging hash code that identifies the computer -- that is, a steam of hexadecimal characters. Anybody who uncovers this hash, which is stored as plain text on the user's hard disk, can sync a user's Dropbox files on any computer, without a username or password prompt appearing. The user will be unaware of this third-party access, unless they check online to see what computers are accessing their account.

Even if the user changes their password, Newton continues, the hash will continue to work. Therefore, stealing the hash is enough for lifetime access to that user's account unless the hash code is withdrawn, which would involve the user unauthorizing the computer whose hash code has been compromised -- something that's not exactly easy or convenient.

Some security experts suggest that a hash code such as this should be unique for every computer, making it non-portable. This can be done by calculating the code based on a unique aspect of each computer, such as the CPU serial code or the network device's MAC address. This hash would be checked by the Dropbox client against the hardware each time the client started to ensure the computer was genuinely allowed access.

However, such methods of specifically identifying computers cause consternation among some online privacy advocates.

What makes the discovery worse, Newton claims, is that the security loophole appears to be there by design. The Dropbox engineers consider this adequate protection for users.

Dropbox has responded by pointing out that for the attack to work, a hacker would have to gain access to a user's computer. At that point "the security battle is already lost," they say, because the hacker would have access to every file on the computer. They compare it to stealing session cookies from a Web browser in order to impersonate a user, although they add that "there are measures that can be taken to make it more difficult (though not impossible) to gain access...which we'll consider in the future."

Outside of hack attacks, there is massive potential for using the hash code to spy on Dropbox users. Simply access a user's computer when they're not around (maybe while they're grabbing a cup of coffee), steal their Dropbox hash code, and you'll be able to monitor or download what they're adding to and removing from their Dropbox account at any time.

Additionally, hackers who install the likes of Trojans or keyloggers could grab the hash code as part of a broader attack and, if their illicit software is discovered and removed, use it to continue accessing the victim's cloud files.

Although most of us change our online passwords after being hacked, how many realize that resetting Dropbox is also necessary? (Resetting would involve deleting the computer from Dropbox's list of known devices, and adding the same computer again, thereby creating a new hash code; this would probably involve syncing all the files from scratch.)

Whether the flaw is anything to be worried about is a matter of opinion. Newton says the only way to use Dropbox with peace of mind is to manually encrypt any data that's stored there, but that defeats the convenience of being able to drag and drop files into and from the Dropbox folder.

The whole issue shows how cloud software developers often trade convenience for security -- having users log in each time to their Dropbox account at each boot-up would make Dropbox significantly less appealing, but creating persistent hassle-free logins for cloud services is a difficult task. Such issues are yet one more hurdle that cloud services will have to bypass to gain the trust of users.

An interesting discussion of the implications of Newton's discovery can be found in the comments section of his blog posting, where various security experts weigh in with their opinion.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags storage accessorystoragesecurityonline privacycloud computingdata protectioninternet

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?