Critical Security Flaw Found In Dropbox
If you’re unfamiliar with Dropbox, it is basically a tool that allows users to sync files between multiple computers and devices. To use the system, the user installs the software, points to a folder to be synchronized, and is then able to access those files among other computers or devices that he or she owns. A critical security flaw has recently been spotted that could expose users’ files to anyone and everyone on the web.
Security specialist Derek Newton claims that the problem comes from using a simple configuration file to link all Dropbox machines together. The file is called config.db and is a small table containing three fields: email, dropbox_path, and host_id.
The host_id is not tied to a specific host and does not change over time, allowing an attacker to create malware that stealthily locates and sends back the config.db file. The attacker is then able to start up a copy of Dropbox with the stolen config file and see the user’s files. Since the tool does not notify the user of how many machines are connected to the network, the victim would never know that their information was being stolen. Some people claim that this is similar to a stolen password or SSH keyring but it seems more serious given that the user has no idea of occurrence. Check out the video below the bullet list, to see this vulnerability on video (no audio).
Here are some tips if you think your system may be compromised:
1.Don’t use Dropbox and/or allow your users to use Dropbox. This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
2.Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (do not store your passphrase in your Dropbox or on the same system/device).
3.Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn’t be, unlink it immediately.