
How Dropbox hacks your mac - broabprobe
http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-security-hack/
======
gumby
Wow, this is _really_ bad. There is no need for it as Apple has an API for
finding out which files have changed. I assume they do this simply to animate
the little icon in the Finder (since I don't think anyone else does anything
like it, and it was a famous question by Jobs to the DB founders). Although
the author's follow on article suggest it's just for future use!

I guess that's it for Dropbox for me. Though as the author says, they're not
going to care.

~~~
rsmoz
They actually use a public macOS API for those Finder icons. It seems like
there's no reason at all they needed to do this. It's really shitty.

~~~
gumby
Even worse!

Fortunately their service is now a commodity (as Jobs told them when they
demoed for him, they are simply a feature). I have always preferred Drobox
just because it seemed the simplest (and they supported Linux). But switching
just takes a short time to copy my files to one of their competitors.

I prepaid for a year's Dropbox service. I wonder how much luck I will have
getting a refund on the unused amount.

I wonder why they chose to gratuitously be assholes?

------
thenewwazoo
Wow, this is really impressively brazen. A faked authorization prompt, and
silent reconfiguration of a security setting without authorization? I cannot
fathom why DropBox thinks this is a good idea.

~~~
mannykannot
Bad as it is, Apple's unwillingness to deal with it is even worse.

------
szhu
Dropbox has always been doing been forcing users to give it admin permissions
for non-necessary reasons. I posted about this on the Dropbox forums back in
2009:

[http://web.archive.org/web/20120127192749/http://forums.drop...](http://web.archive.org/web/20120127192749/http://forums.dropbox.com/topic.php?id=14994)

Seven years later and they're still at it? I doubt this article will make them
change.

I noted that, curiously, if I denied it admin permissions, Dropbox would still
work. I know for fact that it I never granted admin permissions because I did
not have my own computer back then, and I was using Dropbox just fine.

What really baffles me is why they don't give users a choice of whether to
make their system less secure when their product clearly works without those
extra permissions.

------
PhantomGremlin
I installed Dropbox, fully knowing that it embedded itself into the OS. But I
assumed that it was using a proper API to do so.

I need to rethink that soon. If macOS Sierra's (to be released next week?)
similar replication features work properly, doesn't Dropbox become expendable
for customers playing exclusively within Apple's ecosystem?

~~~
SyneRyder
Seems it would be expendable in that use case, but "work properly" seems to be
the catch. On MacBreak Weekly this week, Adam Engst was recommending listeners
immediately disable that feature when Sierra launches, as he's been finding it
buggy & running into data loss situations.

------
cpcallen
Yikes!:

    
    
        $ ls -l /Library/DropboxHelperTools/
        total 1492
        -r-s--x--x   1 root  wheel  1523840 31 Aug 18:22 DropboxHelperInstaller*
        drwxr-xr-x  12 root  wheel      408 31 Aug 18:22 Dropbox_u501/

~~~
cpcallen
Oh no, not just on setuid root binary, no: several more too, plus a setgid
procview one for good measure:

    
    
        $ ls -l /Library/DropboxHelperTools/Dropbox_u501
        total 328
        drwxr-xr-x  4 root  wheel        136  4 Apr 17:59 DropboxBundle.bundle/
        -r-s--x--x  1 root  wheel     139220 31 Aug 18:22 FinderLoadBundle*
        -rwxr-sr-x  1 root  procview   64368 23 May  2011 atos*
        -r-s--x--x  1 root  wheel       9632 31 Aug 18:22 dbaccessperm*
        -r-s--x--x  1 root  wheel     116668 31 Aug 18:22 dbfseventsd*
        drwxr-xr-x  4 root  wheel        136 31 Aug 18:22 mach_inject_bundle_stub.bundle/

~~~
danielhlockard
FWIW, I only have dbaccessperm and dbfsevnentsd in my u501 folder.

------
cstrat
I totally missed this post - but having read it am pretty shocked. Is that
really what the app is doing? Storing the admin password so that it can
override your OS settings?

Not happy about that at all...

What are the implications of not giving it your admin password?

~~~
ninju
If you read the entire article he's says what happens if you _don 't_ give it
your admin password

~~~
cstrat
Yeah I didn't think that there was a definitive answer in the article, kind of
says that dropbox will just keep asking for it on boot. I was asking to see if
anyone knew what APIs dropbox might be hooking into, but @szhu in a post above
has kind of confirmed that nothing really happens. I took a look at this 2009
post. Interesting.

pretty disappointing really.

------
threepipeproblm
Whoever made this decision probably doesn't realize how people like us tend to
steer a lot of the decisions that drive Dropbox usage. I've had to ask 5
companies to install Dropbox this year. And I was already thinking to myself
-- why Dropbox? Because it's popular? Now I'm going to be looking seriously at
Box instead.

------
tinus_hn
That is pretty sleazy. Here the author provides instructions on how to remove
this:

[http://applehelpwriter.com/2016/07/28/revealing-dropboxs-
dir...](http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dirty-little-
security-hack/#comment-27348)

------
gumby
BTW there actually is a legit case when DB would need your admin permissions:
so you can save files with different ownership (or suid files) in your DB.

But they could handle this by asking for permission when they need to
read/write those files.

None of this excuses them: since they use an underhanded dialog box I don't
trust them at all. Unfortunately.

------
_razvan
Dropbox does this because it uses the accessibility features of the OS in
order to implement the Dropbox Badge [1] / Project Harmony.

[1] [https://www.dropbox.com/help/7672](https://www.dropbox.com/help/7672)

------
norea-armozel
Now I have to wonder if this sort of nonsense goes on with their Windows and
mobile (iOS/Android) implementations. Or are those OSes too different from how
OSX works to be comparable?

------
troels
Do anybody know _why_ they are doing this? It seems like a lot of effort to go
through, for no apparent reason.

------
SchizoDuckie
tl;dr: When dropbox asks for your admin password it stores it in it's own
cache to keep having access and perform admin-level tasks.

It's not a hack, it's you giving away your credentials on a screen that's
designed to look like a system password prompt.

A Dark UI pattern at most, and a security leak whenever someone hacks the
dropbox auth storage. Not a hack, just clickbait.

~~~
angryasian
It could be a form of social hacking. They claim they need these permissions
but actually don't. Who knows what they are actually doing in this case.

>The general function of social hacking is to gain access to restricted
information or to a physical space without proper permission.

