Dropbox to Fix Host ID Security Issue

Status
Not open for further replies.

jamescv7

Level 85
Thread author
Verified
Honorary Member
Mar 15, 2011
13,070
A security researcher claims that Dropbox is vulnerable to a design flaw that makes it easy for attackers to copy data from people's accounts if they obtain access to a particular file.

According to security expert Derek Newton, after adding a computer to the sync chain, the Windows Dropbox client generates an unique host_id token and stores it in the %APPDATA%\Dropbox\config.db file.

This host_id is used to authenticate the computer with the service and, apparently, it can be easily transferred to another system and used to download a copy of the data on it.

The problem is that Dropbox does not perform any additional checks to determine if the host_id is actually located on the computer it was generated on.

Newton explains that a trojan can be configured to extract the host_id from config.db and send it to hackers for accessing the victim's data.

Link
 

bogdan

Level 1
Jan 7, 2011
1,362
RE: Security Vulnerability Allegedly Discovered in Dropbox Client

Sounds possible but you shouldn't put private data in your dropbox anyway since it is not encrypted locally.
 

jamescv7

Level 85
Thread author
Verified
Honorary Member
Mar 15, 2011
13,070
In a blog post clarifying some recent Terms of Service (TOS) changes, Dropbox also promises to make it impossible for attackers to steal the host_id from one computer and access the associated account on another.

Earlier this month, security expert Derek Newton revealed that hackers can easily download all files in people's Dropbox accounts if they steal the application's configuration file from their computers.

This file contains an unique value called "host_id" that gets generated when the computer is first linked with a Dropbox account.

The problem with this value is that it's not system-dependent, meaning it's not tied to a particular computer or configuration.

If an attacker can obtain this piece of information, via malware, a backdoor or physical access, they can insert it into their own config.db file and download all files from the victim's account.

Softpedia
 

bogdan

Level 1
Jan 7, 2011
1,362
Even with the new feature, Dropbox should not be used for private info (at least not in my opinion). Again, you don't encrypt the data on your computer, using your own password/key. The files you store on Dropbox’s servers are encrypted, but Dropbox manages the encryption keys on your behalf. They can also decrypt it without your password. I am not saying this is bad, it is just the way Dropbox works and some features they provide might not be possible otherwise. It is important for users to know this so they can decide what files not to put in their Dropbox.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top