Most active commenters
  • 0x0(3)

←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 11 comments | 09 Sep 16 15:52 UTC | HN request time: 0.679s | source | bottom
1. 0x0 ◴[09 Sep 16 16:32 UTC] No.12463757[source]
What the fuck Dropbox!

How do I get rid of the backdoor in /Library/Application\ Support/com.apple.TCC/TCC.db even after uninstalling Dropbox.app and rm -rf'ing ~/.dropbox and /Library/DropboxHelperTools? Do I just sudo sqlite3 and delete the row? Or is there an official tool (tccutil)?

Edit: Crap, there's a /Library/Extensions/Dropbox.kext too now. :(

replies(3): >>12463777 #>>12465166 #>>12465397 #
2. ptomato ◴[09 Sep 16 16:34 UTC] No.12463777[source]
should be able to just uncheck Dropbox.app in SysPrefs -> Security & Privacy -> Privacy -> Accessibility
replies(3): >>12463831 #>>12464498 #>>12464556 #
3. 0x0 ◴[09 Sep 16 16:40 UTC] No.12463831[source]
It's not visible there, probably because I obliterated the Dropbox.app file.

Currently rm -rf'ing the kext after kextunloading it and seeing the kextcache rebuilding.

Why should I trust a company that gets its customer database leaked with a kext that they install via shady deceiving permission dialogs?!

Uninstalled. Good riddance.

4. hughw ◴[09 Sep 16 17:49 UTC] No.12464498[source]
No, that works only until your next reboot. DB has installed an agent that resets that setting in TCC.db a few seconds after you log in next.
replies(1): >>12464577 #
5. sigjuice ◴[09 Sep 16 17:55 UTC] No.12464556[source]
I tried this, but looks like Dropbox shenanigans are able to silently turn it back on.
replies(1): >>12464991 #
6. ptomato ◴[09 Sep 16 17:58 UTC] No.12464577{3}[source]
Per the person I replied to, he uninstalled Dropbox and removed the agent.
7. djrogers ◴[09 Sep 16 18:45 UTC] No.12464991{3}[source]
Not in Sierra
8. ddp ◴[09 Sep 16 19:05 UTC] No.12465166[source]
I did this:

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db

sqlite> delete from "access" where (service=="kTCCServiceAccessibility" and client=="com.getdropbox.dropbox");

...and it seems to have done the trick.

9. chmaynard ◴[09 Sep 16 19:32 UTC] No.12465397[source]
> Crap, there's a /Library/Extensions/Dropbox.kext too

Now I'm getting paranoid. My /Library/Extensions/ directory contains the following kernel extensions. I purchased Little Snitch so I knew about theirs. Anyone have any comments on the rest of them?

  ACS6x.kext
  ATTOCelerityFC8.kext
  ATTOExpressSASHBA2.kext
  ATTOExpressSASRAID2.kext
  ArcMSR.kext
  BJUSBLoad.kext
  CIJUSBLoad.kext
  CalDigitHDProDrv.kext
  HighPointIOP.kext
  HighPointRR.kext
  LittleSnitch.kext
  PromiseSTEX.kext
  SoftRAID.kext
replies(2): >>12465419 #>>12465548 #
10. 0x0 ◴[09 Sep 16 19:36 UTC] No.12465419[source]
I have all of those except "BJUSBLoad", "CIJUSBLoad" and "LittleSnitch".
11. citruspi ◴[09 Sep 16 19:53 UTC] No.12465548[source]
I've got all of them except for

  BJUSBLoad.kext
  CIJUSBLoad.kext
  LittleSnitch.kext
From some online searching, it looks like

    BJUSBLoad.kext
and

    CIJUSBLoad.kext
are related to Canon printers.