Dropbox’s Escalation

September 12, 2016

The other day I came across an article that describes in detail how Dropbox circumvents OS X’s security features by phishing your password and installing itself as root.

Once it has your password, it uses it to whitelist itself extra permissions, granting it the authority to run an installer that anoints whatever they want today or in the future as root. If you manually deauthorize some of its self-authorization, it will silently reauthorize itself.

In OS X, authorized accessibility tools have the ability to control the interface, and the interface has the ability to do anything a user can, since a user’s generally uses the interface to do it. In effect, Dropbox phishes for your password and then uses it to grant itself the authority to control your computer.

You can deny the phishing attempt and Dropbox will work fine, but it will ask you again and again for your password each time you log in until you give in and provide it.

The company claims their rooting is only done to provide deeper integration with Microsoft Office and other things. The integration is totally optional, you can click cancel and use Dropbox perfectly fine, but they don’t present it as such.

The problem isn’t just the possibility of Dropbox being nefarious with total access to your system. It’s the unnecessariness of it, the doing it on the sly, and the increased attack surface. What if someone compromises Dropbox’s update system and pushes a rogue update? Even ignoring that possibility, local malware wouldn’t need to execute an exploit on your operating system itself, just the Dropbox process.

Dropbox has a long and storied history with security. And I don’t mean that time where they accidentally turned off password authorization and allowed anyone to log in to any account they had the email for, nor that hack back in 2012 they lost a bunch of user data in, the one that they only recently in 2016 reset user passwords over.

Dropbox has always been a hack. That’s why it’s not for download on the Mac App Store. It doesn’t meet Apple’s security guidelines and never has. For example, here’s how Dropbox added the little green checkmarks to your icons to inform you they’re synced:

We had to reverse engineer without source code — basically open heart surgery on the Finder to discover the assembly language routine that draws icons — and then squeeze in our little icon. You have to do similar but different things on Tiger, on Leopard, on Snow Leopard, on Lion, thirty-two bit, sixty-four bit — every presentation. It is exhausting.

Drew Houston, Dropbox co-founder and CEO

In the past on Windows, but likely on other platforms as well, Dropbox would store an access token on your computer, located at %APPDATA%\Dropbox\config.db. Were the file’s contents, stored in plaintext, accessed or exfiltrated by another, they would be able to read and write to your Dropbox account as you, without password authorization.

One of OS X 10.11’s additions was System Integrity Protection. It disabled writing to a few directories by default. A few great programs that weren’t on the Mac App Store due to their eschewing of Apple’s security guidelines required a fix for SIP, like Bartender, Little Snitch, Homebrew. Dropbox did as well. It had to stop injecting the green ‘synced’ checkmarks onto icons and use Apple’s official functionality for extending icons. They just kept using that old injection hack after a proper method was created.

But Dropbox wants to go deeper than just rooting your computer and injecting things into memory to display green checkmarks. Some time ago they announced Project Infinite, a way for them provide people with little to no available storage space on their computer with access the entirety of their Dropbox folder by hotswaping bits over the network. The problem isn’t that data’s going over the wire. It’s already doing that. The problem is what you need to give Dropbox for it: kernel access.

I’ve used Dropbox for a long time. I even spent a few minutes reloading virtual-machine snapshots to exploit their referrals to gain more free storage space. But I’ve long left Dropbox for sensitive files due to their repeated security lapses and other concerns. I’m starting to think it might be a good idea to give up Dropbox for less-than-sensitive files too.

Fortunately what Dropbox does is a commodity today. There are many cloud storage options out there and many offer the novel implementation that made Dropbox so popular: Your drive appearing as a local folder on your computer.

iCloud Drive, Google Drive, and OneDrive are all multiplatform with operating system integration and web apps. For the security conscious, there’s SpiderOak. For do-it-yourself types, there’s ownCloud, Seafile, ExpanDrive. If you just want file syncing, there’s Syncthing, BitTorrent Sync, or rsync. There are countless options. Dropbox is just one.