In a previous post, I sang the praises of Dropbox as a file transfer application for the iPad and discussed the application developer’s security representations See http://hytechlawyer.com/?p=49
Dropbox allows the user to put a file into the Dropbox on one device (PC, Mac, iPad, iPhone, Blackberry, etc.) and the document is automatically synched to “the cloud” and can then be accessed on the users other devices that also have Dropbox installed. This functionality is especially useful for iPad users, who have few file transfer options. For this reason, many applications rely upon Dropbox as their file transfer conduit.
Dropbox is now reported to have over 25 million users worldwide. The application is also on almost every “Best Application for Lawyers” list. So many in the legal tech arena becamed concerned when security expert Derek Newton recently exposed a vulnerability that could theoretically allow hackers to invisibly access users Dropbox accounts. See Dropbox: authentication: insecure by design, http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
Newton obbserved that to gain access to the victim’s Dropbox files, a hacker need only obtain the Dropbox configuration file from the victim’s computer. This file contains a unique value called “host_id” (think of it as the key to the account) that gets generated when the computer is first linked with a Dropbox account. The value is not system-dependent, meaning it’s not tied to a particular computer or configuration. Thus, if a hacker can obtain this “key” by getting physical access to an unsecured computer or by use of a virus designed to exploit this vulnerability, they could use the key on another computer equipped with Dropbox to download the files in the victim’s Dropbox.
Dropbox responded to Newton’s observations stating:
“[W]e don’t agree with the assertion that there is a security flaw – dropbox is a perfectly safe place to store sensitive data. the article claims that an attacker would be able to gain access to a user’s dropbox account if they are able to get physical access to the user’s computer.
There are measures that can be taken to make it more difficult (though not impossible) to gain access to the authentication cookie which we’ll consider in the future. that said, dropbox isn’t any less secure than other web service.”
To their credit, the programmers at Dropbox have quickly followed up on their promise to enhance security. Dropbox has just released a new test version of its client for Windows, Mac and Linux that reportedly fixes the security issue described above. You can download the current version of this fix from https://www.dropbox.com/ A file backup is recommended before installation. Early reports are that this fix is stable, but it does appear that functionality with some applications has been impaired. These applications will need to be updated to address the security changes. You can follow the discussion regarding the fixes at http://forums.dropbox.com/topic.php?id=37911 . Hopefully this addresses the problem for this important application.