Popular cloud sync app raises security fears


By InfoWorld Tech Watch
Created 2011-04-13 08:11AM

Last September I wrote about a program called Dropbox [1] that makes it trivially simple to synchronize files between PCs, Macs, Linux machines, iPads, iPhones, Android phones, and BlackBerrys. When you install Dropbox, you create a folder on your machine that's automatically synchronized with Dropbox folders on the other machines and with the Dropbox application on the Internet.

It's slick. I use it every day. But there's an annoying detail that's suddenly been thrust into the public eye.

Security researcher Derek Newton blogged about the problem [2] over the weekend. To understand the nature of the issue, it helps to see how Dropbox sets up a shared folder.

Say you install Dropbox on a new PC. You pick the shared folder and give it a password. Any files dragged into the folder appear both in the folder and in the Dropbox website [3]. Just log on to the site and provide the same email address and password that you used when you created the original folder. Dropbox encrypts the files on its website, but the files inside the synced folder are just plain files.

Now you install Dropbox on a second PC -- same process. During the installation you create a shared folder on the second PC, provide your email address and password, and it's ready to go.

Each time you fire up either PC, the shared folder is just there. You don't have to log on to anything. Dropbox looks to see if any of the files have changed on the website and, if so, synchronizes the files in the designated folder -- very easy.

You can change the password if you like. When you're logged on to the Dropbox site, click the Account link on top, then the Account Settings tab.

That's where things get a bit strange.

If you change your Dropbox password, you can still get into all of the existing PC's Dropbox folders -- and you don't have to supply the new password. The new password is only required if you set up Dropbox on a new PC (or Mac or iPad or whatever).

Dropbox implements that little sleight of hand by maintaining a file on each PC called config.db. That file (it's actually a SQL Lite database) contains a key called host_id. When you start up a PC, Dropbox runs automatically. It looks in your %APPDATA% folder (in Vista and Windows 7 that's c:\Users\\AppData\Roaming), goes into the Dropbox folder, and retrieves the host_id value from the config.db file. Dropbox then goes to its website and looks up your data using the host_id. If it finds the host_id, Dropbox syncs data between the folder in the cloud and the corresponding folder on your PC.

Do you see the problem?

Dropbox doesn't ask for a password. It doesn't even check to see if the config.db file originated on the current computer. It just grabs the host_id value and syncs your data.

When you install Dropbox on a new computer (or phone) and supply the correct password, the Dropbox site adds that computer to the list of linked computers for that Dropbox account. But it doesn't update that list when a computer accesses the account.

Put two and two together and you can get five. By simply copying the config.db file from one computer to another, you can get access to all of the Dropbox files -- get them automatically synced, in fact -- without supplying a password. Dropbox doesn't check to see if the config.db file originated on the computer, nor does it add the computer to the list of devices linked to the Dropbox account.

This isn't a horrible security breach, but it's an excellent example of how programming for user convenience in the cloud -- in this case, syncing data without requesting a password -- can open the door for some potential abuse.

Dropbox fans rightfully point out that swiping a config.db file from somebody is a nontrivial task [4]. If a black hat hacker could steal information from your computer, the argument goes, why would they bother with a host_id key to get into a Dropbox account?

Dropbox's detractors decry the lack of validation, no password on sync, no verification of the pedigree of the config.db file, combined with a lack of audit controls. No list of machines accessing the Dropbox account, topped off with an ineffectual lockdown -- and changing the password doesn't change anything.

They're right, of course. Clearly Dropbox needs to do more to protect its customers.

I see two important points to be drawn from this discovery.

First, developers need to implement the same kind of controls in the cloud that they're accustomed to implementing in more traditional systems. Yes, that will make some things less convenient. So be it.

Second, storing sensitive, unencrypted information in the cloud is foolish, no matter how you slice it.

This story, "Popular cloud sync app raises security fears [5]," was originally published at InfoWorld.com [6]. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog [7]. For the latest developments in business technology news, follow InfoWorld.com on Twitter [8].

Cloud Computing Security Cloud Security Data Security Source URL (retrieved on 2011-04-13 01:53PM):
http://www.infoworld.com/t/data-security/popular-cloud-sync-app-raises-security-fears-776
Links:
[1] http://www.infoworld.com/t/infrastructure-services/upstart-dropbox-forges-ahead-while-microsoft-diddles-189
[2] http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
[3] http://www.dropbox.com/
[4] http://forums.dropbox.com/topic.php?id=36146
[5]http://www.infoworld.com/t/cloud-security/popular-cloud-sync-app-raises-security-fears-776?source=footer
[6] http://www.infoworld.com/?source=footer
[7] http://www.infoworld.com/blogs/infoworld-tech-watch?source=footer
[8] http://twitter.com/infoworld

http://www.infoworld.com/t/data-security/popular-cloud-sync-app-raises-security-fears-776?source=IFWNLE_nlt_blogs_2011-04-13

Comments

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more