DropBox Security

For those of you new to Dropbox:

“Dropbox is a Web-based file hosting service operated by Dropbox, Inc. which uses cloud computing to enable users to store and share files and folders with others across the Internet using file synchronization.”

http://en.wikipedia.org/wiki/Dropbox_%28service%29

Dropbox has become very popular and widely used as it has so many different uses and makes file sharing over the internet easy. Dropbox allows you to make public image galleries, share files publicly, share files between computers and manage version control. All this straight from your file system. I like to think of it as git or a subversion repository with a nice interface.

So how secure is Dropbox? According to the Dropbox FAQ:

* Shared folders are viewable only by people you invite

* All transmission of file data and metadata occurs over an encrypted channel (SSL).

* All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password

* Dropbox website and client software have been hardened against attacks from hackers

* Online access to your files require your username and password

* Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable

* Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)

https://www.dropbox.com/help/27

Let’s take a look at these claims more closely, “Shared folders are viewable only by people you invite.”. True, however if an attacker has access to your local machine they can invite themselves. You may argue that if some one has access to your local machine the game is over anyway. The problem here is, all the attacker has to do is click a few buttons and you will share not only your current Dropbox files but all future files until the victim realises. This can be done via the Dropbox main menu by clicking on ‘Browse on Dropbox Website…’, this will open your default browser and automatically log you in to your online Dropbox account allowing you to change Sharing and other options.

Using SSL is awesome, “All transmission of file data and metadata occurs over an encrypted channel (SSL).”. However we have all seen and witnessed attacks on SSL using man-in-the-middle techniques. But again, here you could argue that if some one has already managed to man-in-the-middle you then you probably have more things to worry about than your Dropbox files.

Using a good encryption algorithm won’t protect you against users picking weak passwords. “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password” Unfortunately I didn’t have time to scrutinize their password policy however I did notice that they do not take any measures to prevent brute force attacks on their HTTP login form.

It’s good that Dropbox have ‘hardened’ against attacks, but what does this entail? SDLC? black box scanning? “Dropbox website and client software have been hardened against attacks from hackers”

Not always. “Online access to your files require your username and password” As mentioned before by clicking on the ‘Browse on Dropbox Website…’ from the Dropbox menu, no authentication is needed however the attacker would need local access.

Oh really?! “Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable”. When you use a common numbering system in your URIs then this becomes false. A link to a Dropbox Public folder looks like so: http://dl.dropbox.com/u/7000455/index.html. The seven digit number is the Dropbox username, in this case some random user. but what happens if we increment that number? Well, this happens, http://dl.dropbox.com/u/7001955/index.html. What if some not so bright people stored other not so ‘puclic’ files in their public folder? We’ve all come across these types of people before! Dropbox terms and conditions state; “BY PLACING FILES IN YOUR PUBLIC FOLDERS, YOU CONSENT TO SHARE ACCESS TO THE CONTENT OF THOSE FOLDERS WITH OTHER DROPBOX USERS AND/OR THE PUBLIC”. Dropbox also states; “It is possible, however unlikely, that someone could guess your link if they knew the file name.”

This is good, “Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)”. However you can only ‘permanently delete’ files via the online web interface, just by deleting them from your Dropbox folder does not mean they have been ‘permanently deleted’.

Dropbox is a great service however people need to be aware of the risks in sharing sensitive information in the ‘cloud’.

UPDATE: 03/08/2010 – 19:30

I hadn’t noticed earlier however after a chat over a meal we came to realise that if a Dropbox public file renders HTML, then why not Javascript? It turns out that executing Javascript is possible however the Dropbox login cookies do not apply to the dl subdomain. But it is a dream come true for any wannabee Dropbox phisher! This is a file hosted on my Public folder: http://dl.dropbox.com/u/7879629/index.html It does not send the form data any where, it just redirects to this blog on pressing login.

UPDATE: 05/08/2010 20:00

I contacted Dropbox through their support system on August 3rd to highlight the Phishing risk and this blog post. I received an email with a one line reply today from Kevin Chu of Dropbox; “Yes, we are looking at alternative domains to use for hosting public files.”

31 thoughts on “DropBox Security

  1. Pento

    Most of items are looks like farfetched.
    But idea to review Dropbox security controls is really interesting. You also forget that Dropbox as usual webapp may have something from OWASP Top 10 like xss =)

  2. Andrew Waite

    Nice write-up.

    For the overly paranoid (like me), turn your DropBox folder into a TrueCrypt container and store your files in there. This way if someone (DropBox employee or third party) does gain access to your account they still can’t access your actual data without either breaking the crypto or gaining your (hopefully complex) TrueCrypt password. Of course if they’ve compromised your machine and installed keylogger your still in trouble; but as you say, you’ve probably got bigger problems.

    –Andrew

    P.S. thanks to @baconzombie for suggesting the combination to me a while back.

  3. Marc Ruef

    Hello,

    Nice article! Especially the guessing of public folder names is going to be interesting. I think in a few days/weeks someone is coming up with a crawler …

    Regards,

    Marc

  4. admin Post author

    @pento
    There may be some web application vulnerabilities from the OWASP Top 10 that affect the DropBox site. But looking for these intentionally without permission may be considered unethical.

    @Andrew
    Great idea!

    @Marc
    I wrote a quick Python script to brute force the Public folder file names. So far I have only found a couple of index.html files, nothing too interesting, but with more time and refinement I’m sure something would pop up. Of course this is ethical and legal as DropBox state that the information in users Public files are, well, public.

  5. Mr. Shiney

    This is an interesting look at the risks to drop-box. A warning about using TrueCrypt with dropbox — because of way drop-box works, only syncing the bits of a TC container that have changed, a person may be able to guess your TC secret key by capturing this changed data several times. Another warning about dropbox and danger of public file leaks: http://tgfblogged.blogspot.com/2010/06/dropbox-has-issue-with-way-it-handles.html

    I think DB has some serious security concerns.

  6. James Flint

    There are two separate issues for me.

    1.Does Dropbox compromise access to my computers from outside?

    2.Are the file contents in the non-public area secure?

    I wouldn’t plan to use anything other than pictures and other trivia in the app anyway so the file issue not a problem. Access to my hard drive could be serious.

    Could someone parse the two issues?

    Thanks

  7. Peter

    Dropbox can make the performance of my computer slower?
    I have my server synchronized with the dropbox and it is full of gigabytes.
    Thanks

  8. TheGooch

    Thanks for the fair analysis of Dropbox security. Many people bring up highly unlikely scenarios where your data might get compromised. Like the idea of watching the bits that change in the Truecrypt file. Give me a break. Even if they break into your Dropbox account ( 1st requirement ) , they need to download the entire file every time it changes(2nd requirement ), and have an unencrypted copy of the file(s)(3rd requirement ) that was added/deleted to cause the change in order to have a chance of determining the passphrase.

    Play the lotto, your odds are much better and the payoff is a lot greater.

  9. Curtis Aman

    Hi, there. This is a quite impressive web site and some great suggestions with your publish. I will be again. Thank you for that excellent articles. With the way, why not listing your blog in our E-Commerce directory and obtain a again link from us?

  10. kidderminster

    However, as new standards are adopted by device manufacturers, viewers notice a wider spectrum of content and a greater interaction between and through content.

  11. Zenfoos

    With respect to brute force countermeasures, based on a quick review I came up with the following findings on 22-23 Mar 11.

    Password length: Requires string to be at least 6 characters. However there is no complexity requirement so can be most any character sequence (e.g., successfully changed password to aaaaaa). I did not check which characters were not acceptable.

    Lockout after 11 bad attempts:
    I noticed that after 11 bad log-in attempts, on the 12 one when using the valid password i was locked out. In log-in screen the following message was displayed: “Too many login attempts. Please try later.”

    I did not see for how long though but was at least 5 minutes.

    These findings were based on empirical tests (verified twice over 2 days). No attempt was made to validate the actual policy with Dropbox.

  12. Aaron

    Another idea I had, is to upload a malicious PDF named “Social security” or any other interesting file name, that opens a shell back to your computer via reverse TCP.

    This is just to find out who is snooping around in your folders.

    When I get the chance, I will test the mobile app client for dropbox.

  13. James A.

    Hi, my startup just released a small app last week (talk about timing) that was motivated by the very issues discussed here. It works with Dropbox and other sync services, and encrypts your files on your computer before putting them into Dropbox. I’m not trying to spam, but here’s the link in case it sounds interesting to anyone. This is an early beta:

    http://getsecretsync.com

    You can probably consider it a simpler, lightweight alternative to True Crypt.

  14. US hosting

    Wow, marvelous blog structure! How lengthy have you been blogging for? you made running a blog look easy. The full glance of your site is magnificent, let alone the content!

  15. camphappy

    I have a great solution – store your files locally.
    Turn off the PC when not in use. Let’s see anyone try to get your file from inet now.

  16. seo

    Hey! I know this is kinda off topic nevertheless I’d figured I’d ask. Would you be interested in trading links or maybe guest authoring a blog post or vice-versa? My blog covers a lot of the same subjects as yours and I feel we could greatly benefit from each other. If you’re interested feel free to send me an e-mail. I look forward to hearing from you! Excellent blog by the way!

  17. Pingback: drop box alternatives « Seo Source

  18. Pingback: Dropbox Security – giroz.net

  19. Play For Fun Slots

    Hey there! I know this is kinda off topic but I was wondering if you knew where I could get a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having trouble finding one?
    Thanks a lot!

  20. http://africansafaritours.posterous.com/

    I’ve loaded your blog in Three totally different browsers and I must say this blog loads a lot quicker then most. Would you mind mailing me the name of your website hosting company? I’ll sign up through your own affiliate link if you
    have one. Thanks alot :)

Comments are closed.