Due to Dropbox’s simple sharing mechanism, a hacker can easily gain access to a user’s shared items by stealing one configuration file.
Dropbox, a popular file sync tool, is now subject to a major security flaw that can easily put a user’s shared items at risk of being exposed.
Dropbox requires users to install a small software on their computers which will then sync and manage files across multiple computers. According security expert Derek Newton, the issue lies in Dropbox’s simple configuration file which makes the syncing possible. The file, config,db, is a small database table that contains only three fields: one for email, the dropbox’s path and the host ID. However, the host ID does not appear to be tied to a specific host and doesn’t appear to change over time either. A hacker can easily take advantage of the fact by releasing a malware that locates the contents of the database file and use it with his Dropbox installation and instantly be part of a user’s approved set of computers. Unfortunately, Dropbox does not notify a user of how many machines are connected to the shared folder, leaving no possible way to find out if the account has been compromised.
This has been termed as similar to having a password stolen but a user is left with a very limited number of options to protect his shared files. Newton gives the following advice for users of the software:
1) Don’t use Dropbox and/or allow your users to use Dropbox. This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
2) Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (do not store your passphrase in your Dropbox or on the same system/device).
3) Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn’t be, unlink it immediately.
Dropbox has yet to comment on the matter.