For those of you new to Dropbox:
“Dropbox is a Web-based file hosting service operated by Dropbox, Inc. which uses cloud computing to enable users to store and share files and folders with others across the Internet using file synchronization.”
Dropbox has become very popular and widely used as it has so many different uses and makes file sharing over the internet easy. Dropbox allows you to make public image galleries, share files publicly, share files between computers and manage version control. All this straight from your file system. I like to think of it as git or a subversion repository with a nice interface.
So how secure is Dropbox? According to the Dropbox FAQ:
* Shared folders are viewable only by people you invite
* All transmission of file data and metadata occurs over an encrypted channel (SSL).
* All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password
* Dropbox website and client software have been hardened against attacks from hackers
* Online access to your files require your username and password
* Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable
* Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)
Let’s take a look at these claims more closely, “Shared folders are viewable only by people you invite.”. True, however if an attacker has access to your local machine they can invite themselves. You may argue that if some one has access to your local machine the game is over anyway. The problem here is, all the attacker has to do is click a few buttons and you will share not only your current Dropbox files but all future files until the victim realises. This can be done via the Dropbox main menu by clicking on ‘Browse on Dropbox Website…’, this will open your default browser and automatically log you in to your online Dropbox account allowing you to change Sharing and other options.
Using SSL is awesome, “All transmission of file data and metadata occurs over an encrypted channel (SSL).”. However we have all seen and witnessed attacks on SSL using man-in-the-middle techniques. But again, here you could argue that if some one has already managed to man-in-the-middle you then you probably have more things to worry about than your Dropbox files.
Using a good encryption algorithm won’t protect you against users picking weak passwords. “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password” Unfortunately I didn’t have time to scrutinize their password policy however I did notice that they do not take any measures to prevent brute force attacks on their HTTP login form.
It’s good that Dropbox have ‘hardened’ against attacks, but what does this entail? SDLC? black box scanning? “Dropbox website and client software have been hardened against attacks from hackers”
Not always. “Online access to your files require your username and password” As mentioned before by clicking on the ‘Browse on Dropbox Website…’ from the Dropbox menu, no authentication is needed however the attacker would need local access.
Oh really?! “Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable”. When you use a common numbering system in your URIs then this becomes false. A link to a Dropbox Public folder looks like so: http://dl.dropbox.com/u/7000455/index.html. The seven digit number is the Dropbox username, in this case some random user. but what happens if we increment that number? Well, this happens, http://dl.dropbox.com/u/7001955/index.html. What if some not so bright people stored other not so ‘puclic’ files in their public folder? We’ve all come across these types of people before! Dropbox terms and conditions state; “BY PLACING FILES IN YOUR PUBLIC FOLDERS, YOU CONSENT TO SHARE ACCESS TO THE CONTENT OF THOSE FOLDERS WITH OTHER DROPBOX USERS AND/OR THE PUBLIC”. Dropbox also states; “It is possible, however unlikely, that someone could guess your link if they knew the file name.”
This is good, “Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)”. However you can only ‘permanently delete’ files via the online web interface, just by deleting them from your Dropbox folder does not mean they have been ‘permanently deleted’.
Dropbox is a great service however people need to be aware of the risks in sharing sensitive information in the ‘cloud’.
UPDATE: 03/08/2010 – 19:30
UPDATE: 05/08/2010 20:00
I contacted Dropbox through their support system on August 3rd to highlight the Phishing risk and this blog post. I received an email with a one line reply today from Kevin Chu of Dropbox; “Yes, we are looking at alternative domains to use for hosting public files.”