Pages

4/19/2011

Dropbox Vulnerability

According to Derek Newton's post on "Dropbox authentication: insecure by design", I decide it to investigate the vulnerability on myself.

It seems like Dropbox uses SQLite database to store its configuration files in the users' machine.

Here are the files in ~/.dropbox folder:


One of the important files is "config.db" which contains sensitive information, but easy to be read by SQLite command without any protection. I thought it'll be password protected, or use some of encryption techniques, but it can only be used with SQLite right away. This is really like storing password in a plain text file.

Here is example of sensitive information inside config.db:


Few days ago, Neotempest did a good job on making this video to show how to imitate a Dropbox user from Windows OS to use his credential in Mac OS.

This looks really easy to do. Only 2 things are needed in this recipe, they are "SQLite" program and "config.db" That's it



I think it is time for Dropbox to rethink about its own security, before they loses their customers.

No comments:

Post a Comment