Dropbox has said it needs to do a "better job" of communicating its OS X integration, after claims emerged online that its Mac app was phishing for user passwords and even "hacks" the operating system on installation.

Developers of the cloud storage service were forced to reply to accusations which appeared on Hacker News that the client app was a security risk and "couldn't be trusted", because of the way it takes control of system features without asking for permission to do so.

dropbox-privacy

Dropbox gains access to Accessibility features without requesting access.

Concerns were raised after it was demonstrated that Dropbox appears in the Security & Privacy tab for Accessibility, despite the fact that users are never prompted to grant access to the features.

Let’s assume for the sake of argument that Dropbox never does any evil on your computer. It remains the fact that the Dropbox process has that ability. And that means, if Dropbox itself has a bug in it, it’s possible an attacker could take control of your computer by hijacking flaws in Dropbox’s code. Of course, that’s entirely theoretical, but all security risks are until someone exploits them. The essence of good computer security and indeed the very reason why OSX has these kinds of safeguards in place to begin with is that apps should not have permissions greater than those that they need to do their job.


Responding to the accusations
, Dropbox said it only asks for the permissions it needs and uses the Accessibility features for certain app integrations like Office, although the permissions aren't as "granular" as the company would like.

Dropbox, like other apps, requires additional permissions to enable certain features and integrations. The operating system on a user's device may ask them to input their password to confirm. Dropbox never sees or receives these passwords. Reports of Dropbox spoofing interfaces, or capturing system passwords are absolutely false. We realize that we can do a better job communicating how these permissions are used, and we're working on improving this.

Dropbox said it was working with Apple to reduce its dependence on elevated access in macOS Sierra, and will respect when people disable Dropbox's Accessibility permissions. In the meantime, Hacker News wants the firm to more explicitly outline why it needs the permissions it does.

The latest news comes at a sensitive time for the cloud storage outfit. Two weeks ago, it was revealed that over 68 million Dropbox accounts were implicated in a hack that took place in 2012.

Due to a password hack connected to other websites, hackers were able to sign in to "a small number" of Dropbox accounts, said the company, including an employee's who had access to a document listing an array of user email addresses. But when Dropbox announced a preventative password reset measure, it made no mention of the extent of the users touched by the four-year-old hack.

Earlier this year, Dropbox was also forced to defend a feature called Project Infinite, which allows users to access all of the content in their account as if it is stored on their own machine, regardless of how small their hard disk is. The feature requires kernel-level access to computers in order to function, which critics suggested could leave it open to serious vulnerabilities.

Update: Dropbox has contacted MacRumors to reiterate that it "categorically denies" its Mac client phishes for user passwords or "hacks" the operating system on installation, but agreed that "we need to do more to be more transparent and make it clearer why we need access permission to a Mac OS". The company also added that the account information stolen in 2012 was hashed and salted, meaning it is unlikely hackers were able to obtain many of the users' actual passwords.

Tag: Dropbox

Top Rated Comments

Cindori Avatar
61 months ago
Except, if you read the blog, it's inherently clear that Dropbox spoofed the Apple password dialogue box. So they're still not owning up to it. They say it's an Apple OSX box thing, and while it's probably true that Dropbox doesn't see or capture the password you enter, it remains clear that the dialogue box is not really an Apple one.

This is the first big misunderstanding in this whole affair.
That dialogue is 100% genuine (called from Apple API's). You can customize the text that appears ("blabla for Dropbox to work correctly") using older C-API's that are still fully allowed. It is not a "custom Dropbox popup that can see your password".

This has been called out numerous times but unfortunately news articles can't keep up and that blog doesn't seem to want to edit the post (I'm guessing they're getting peak traffic from this story).

--------------------------------

EDIT: Here is the actual API's to achieve this: https://developer.apple.com/library/mac/documentation/Security/Reference/authorization_ref/#//apple_ref/c/func/AuthorizationCopyRights

Parameter: environment
"Data used when authorizing or preauthorizing rights. Not used in OS X v10.2 and earlier. In OS X v10.3 and later, you can pass icon or prompt data to be used in the authentication dialog box"
Score: 16 Votes (Like | Disagree)
Mackker Avatar
61 months ago
Dropbox engineer's response is total ********!
Take a look at the attached images.
[doublepost=1473677349][/doublepost]
Fundementally, this whole kerfuffle comes from users not understanding what 'Allow the apps below to control your computer' in System Preferences actually means. Granted, that's a lot to do with Apple's poor wording, but it doesn't literally mean that at any time an application can take mouse & keyboard control or grant unauthorised remote access.

Due to how locked down the newer OSs are, it's not unusual for apps to need this enabled just to access features that were readily available on earlier OS X iterations.
No dude, there's no confusion here.
The problems are as follows:

1. Dropbox spoofs OSX's permissions dialog.
2. Dropbox enables special permissions on behalf of the user instead of letting OSX enabling permissions on behalf of its user (lol, see first point to understand why).
3. In order to be able to do point 2, Dropbox uses hacking tactics like modifying a system's database to force the OS to enable permissions (sudo, anyone? Point 1 again)
4. If an user tries to disable the unknowingly self-given permissions, magic happens! the agent re-enables itself!

That's PURE EVIL coming from Dropbox!

LE:
About UI Spoofing on OSX: http://www.symantec.com/connect/blogs/mac-os-x-dialog-box-spoofing-believe-me-i-m-system-preferences

LE2:
For people trying to prove that Dropbox isn't spoofing the permissions dialog, there's one more thing that might not be so obvious: how come Dropbox is able to insert its identifier in the Privacy Database?

As far as I know, this is only possible if it has the same access privileges as an Administrator or Super User.

So what I'm saying is that in my opinion, Dropbox really does cache the password and uses it to gain access to root and this thing goes all the way back to number one: in order to cache the password, they must have access to it right? So in order to get the password they spoof the permissions dialog.

Attachment Image

Attachment Image

Attachment Image

Attachment Image
Score: 14 Votes (Like | Disagree)
Sheza Avatar
61 months ago
Reports of Dropbox spoofing interfaces, [...] are absolutely false.
Except, if you read the blog, it's inherently clear that Dropbox spoofed the Apple password dialogue box. So they're still not owning up to it. They say it's an Apple OSX box thing, and while it's probably true that Dropbox doesn't see or capture the password you enter, it remains clear that the dialogue box is not really an Apple one.

Score: 13 Votes (Like | Disagree)
Cindori Avatar
61 months ago
But are they?
I think it's pretty obvious that they are. Why would they not? The API allows it.

The only confusion here stems from people without knowledge of these API's drawing conclusions like "they are using fake popups because the message is not like the standard popup!11!" in their efforts to find more "incriminating stuff" about Dropbox's practices.

As for their practices in general I personally think they are designed from a UX perspective - enter password once and be done with setup and not the "conspiracy-steal-password-control-your-computer-malware" FUD that is being spread right now.
Score: 8 Votes (Like | Disagree)
Nozuka Avatar
61 months ago
Either you trust them or you don't. If you don't, you shouldn't give them any of your files anyway. ;)
Score: 6 Votes (Like | Disagree)
Cindori Avatar
61 months ago
Could you please post a link to some documentation backing up what you're saying?
Found it: https://developer.apple.com/library/mac/documentation/Security/Reference/authorization_ref/#//apple_ref/c/func/AuthorizationCopyRights

This is straight from the documentation:

Parameter: environment
Data used when authorizing or preauthorizing rights. Not used in OS X v10.2 and earlier. In OS X v10.3 and later, you can pass icon or prompt data to be used in the authentication dialog box.

This is what Dropbox is using.
Score: 6 Votes (Like | Disagree)

Top Stories

General Music and AirPod 3 Feature

Rumor: Apple to Announce Third-Generation AirPods and HiFi Apple Music Tier on May 18

Thursday May 13, 2021 10:32 pm PDT by
A new rumor suggests that Apple will announce the third-generation AirPods and the recently rumored HiFi, or high-fidelity Apple Music tier, on Tuesday, May 18, via a press release on its website. The new rumor comes from Apple YouTuber Luke Miani who shared the alleged exclusive news with the AppleTrack website. According to the YouTuber, Apple plans to release the next-generation AirPods...
2021 mbp hdmi slot 3d

2021 MacBook Pro Leaks Confirm Returning MagSafe and Ports

Friday May 14, 2021 3:06 am PDT by
Apple's upcoming MacBook Pro models are expected to feature a number of major changes such as larger display options and powerful new Apple silicon chips. Among the more surprising updates to this year's MacBook Pro models is the return of three ports that have been missing from the machines for over five years. Expected to come in 14- and 16-inch sizes, the 2021 MacBook Pro models are...
apple park drone june 2018 2

Apple Fires Newly Hired Ex-Facebook Product Manager Following Revelations of Past Misogynistic Comments

Thursday May 13, 2021 12:10 am PDT by
Apple has fired Antonio García Martínez, an ex-Facebook product manager and author of the controversial book "Chaos Monkeys," following public and internal calls for removal and investigation due to past misogynistic statements, The Verge reports. Apple hired Martínez earlier this week to join its ads team, however, comments that Martínez made in the past sparked condemnation from users...
magic mouse space gray discontinued

Apple Discontinuing Space Gray Mac Accessories Now That iMac Pro is Dead

Friday May 14, 2021 11:52 am PDT by
Following the discontinuation of the iMac Pro, Apple also appears to be discontinuing Space Gray "Magic" accessories that it sold separately alongside the iMac Pro. The iMac Pro was the only Space Gray Mac, and Apple designed special matching accessories for it. The Space Gray Magic Mouse 2, Magic Keyboard, and Magic Trackpad all now say "While supplies last" in small wording at the bottom...
tile amazon sidewalk integration

Apple Says Tile Trackers Sold Poorly in Apple Stores

Friday May 14, 2021 4:53 am PDT by
Earlier last month, Spotify, Tile, and Match (owner of Tinder), testified at an app store antitrust hearing spearheaded by the U.S. Senate. During the hearing, Spotify called Apple's App Store "an abusive power grab," while Tile said Apple uses its platform to "unfairly limit competition for its products." Now, in response to their testimonies, Apple's vice president and chief compliance...
google photos

PSA: Google Photos Unlimited Storage Ends Next Month, Here's How to Export Your Pictures to iCloud

Thursday May 13, 2021 5:26 am PDT by
For as long as it's existed, Google Photos has offered free unlimited storage for uploading images at a reduced yet good enough quality for most users. From June 1, 2021, however, all photos and videos uploaded to Google accounts will count against users' cloud storage. If you've been relying on Google to back up your media library, it may be time to move that content elsewhere. This article...
fortnite apple logo 2

Judge in Epic vs. Apple Case Floats Potential Compromise

Wednesday May 12, 2021 3:54 pm PDT by
In the ongoing legal battle between Apple and Epic Games, the two companies are this week calling up their expert witnesses to argue their points before Judge Yvonne Gonzalez Rogers, who will make a decision in the case after a three week trial. Expert testimony is not as exciting as some of the leaked App Store documents that were highlighted last week, especially as much of what's being...
syng cell alpha

Longtime Apple Designer Christopher Stringer's Latest Project Is a High-Fidelity Speaker With AirPlay 2

Friday May 14, 2021 7:30 am PDT by
Christopher Stringer, a key member of Jony Ive's design team who spent 21 years at Apple before departing in 2017, is resurfacing today with his new venture Syng, which seeks to make an impact in the high-end audio market. Stringer, who contributed to many of the most iconic product designs in Apple's history, announced his plans roughly a year ago, and Syng is today introducing its flagship ...
Twitter Feature

Twitter's 'Blue' Subscription Service May Cost $2.99, Will Offer Undo Tweet Option

Saturday May 15, 2021 11:08 am PDT by
Twitter has been working on some kind of subscription service since last summer, and Jane Manchun Wong, who often digs into new features coming in apps, has shared details on just what Twitter is exploring. Twitter's subscription service could be called Twitter Blue, and at the current time, it's priced at $2.99 per month. There will be a "Collections" section that allows users to save and...
imac m1 blue isolated 16x9 500k

M1 iMac is Up to 56% Faster Than Prior-Generation High-End 21.5-Inch iMac

Wednesday May 12, 2021 10:03 am PDT by
Apple's M1 iMacs are set to start delivering to customers next week, and ahead of the official launch day, benchmarks for the machines have been showing up on Geekbench, likely from reviewers who are testing them. It will come as no surprise that M1 iMac benchmarks are right on par with benchmarks for the M1 MacBook Pro, MacBook Air, and Mac mini, coming in with an average single-core score...