Dropbox: Insecure by design?

A researcher has revealed that it's easy for non-authorized computers to access a user's files. But should you worry?

The fundamental security of the Dropbox cloud storage service has been called into question by a researcher.

Dropbox is a poster boy for the nascent cloud storage field and is among the most popular cloud storage services. It works by adding a special folder to your computer's hard disk. Any files you add are automatically uploaded to Dropbox's cloud storage area, and you can install Dropbox on a variety of computers and mobile devices, thereby syncing files across all their devices. Additionally, Dropbox can act as a cloud backup service if only installed on one computer.

The security issue relates to the Dropbox client program and how it authenticates users, which is to say, how each computer proves to the Dropbox cloud it should have access to a user's files.

Security researcher Derek Newton has discovered that authentication relies on a single, unchanging hash code that identifies the computer -- that is, a steam of hexadecimal characters. Anybody who uncovers this hash, which is stored as plain text on the user's hard disk, can sync a user's Dropbox files on any computer, without a username or password prompt appearing. The user will be unaware of this third-party access, unless they check online to see what computers are accessing their account.

Even if the user changes their password, Newton continues, the hash will continue to work. Therefore, stealing the hash is enough for lifetime access to that user's account unless the hash code is withdrawn, which would involve the user unauthorizing the computer whose hash code has been compromised -- something that's not exactly easy or convenient.

Some security experts suggest that a hash code such as this should be unique for every computer, making it non-portable. This can be done by calculating the code based on a unique aspect of each computer, such as the CPU serial code or the network device's MAC address. This hash would be checked by the Dropbox client against the hardware each time the client started to ensure the computer was genuinely allowed access.

However, such methods of specifically identifying computers cause consternation among some online privacy advocates.

What makes the discovery worse, Newton claims, is that the security loophole appears to be there by design. The Dropbox engineers consider this adequate protection for users.

Dropbox has responded by pointing out that for the attack to work, a hacker would have to gain access to a user's computer. At that point "the security battle is already lost," they say, because the hacker would have access to every file on the computer. They compare it to stealing session cookies from a Web browser in order to impersonate a user, although they add that "there are measures that can be taken to make it more difficult (though not impossible) to gain access...which we'll consider in the future."

Outside of hack attacks, there is massive potential for using the hash code to spy on Dropbox users. Simply access a user's computer when they're not around (maybe while they're grabbing a cup of coffee), steal their Dropbox hash code, and you'll be able to monitor or download what they're adding to and removing from their Dropbox account at any time.

Additionally, hackers who install the likes of Trojans or keyloggers could grab the hash code as part of a broader attack and, if their illicit software is discovered and removed, use it to continue accessing the victim's cloud files.

Although most of us change our online passwords after being hacked, how many realize that resetting Dropbox is also necessary? (Resetting would involve deleting the computer from Dropbox's list of known devices, and adding the same computer again, thereby creating a new hash code; this would probably involve syncing all the files from scratch.)

Whether the flaw is anything to be worried about is a matter of opinion. Newton says the only way to use Dropbox with peace of mind is to manually encrypt any data that's stored there, but that defeats the convenience of being able to drag and drop files into and from the Dropbox folder.

The whole issue shows how cloud software developers often trade convenience for security -- having users log in each time to their Dropbox account at each boot-up would make Dropbox significantly less appealing, but creating persistent hassle-free logins for cloud services is a difficult task. Such issues are yet one more hurdle that cloud services will have to bypass to gain the trust of users.

An interesting discussion of the implications of Newton's discovery can be found in the comments section of his blog posting, where various security experts weigh in with their opinion.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags storage accessorystoragesecurityonline privacycloud computingdata protectioninternet

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?