←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 8 comments | 09 Sep 16 15:52 UTC | HN request time: 0.379s | source | bottom
Show context
gruez ◴[09 Sep 16 16:41 UTC] No.12463849[source]
The fact that any application can spoof the os password prompt makes me wonder why they don't have a prominent feature to show the prompt is from the OS. On windows there is the secure desktop with the dimming effect.
replies(6): >>12463913 #>>12463935 #>>12463946 #>>12464205 #>>12464261 #>>12465995 #
1. pritambaral ◴[09 Sep 16 16:50 UTC] No.12463935[source]
Is the "secure desktop with dimming effect" not spoofable?
replies(3): >>12464096 #>>12464194 #>>12464260 #
2. sbarre ◴[09 Sep 16 17:06 UTC] No.12464096[source]
It probably is, but it would be near-impossible for a respectable company to claim that they weren't specifically trying to spoof it.

With the current OS X password prompt being a benign looking window, Dropbox (or others) can easily say they're just "following standard UI patterns" or something like that.

3. BinaryIdiot ◴[09 Sep 16 17:16 UTC] No.12464194[source]
Not really. Sure you can make a replica of it but it won't behave the same because you'll be able to minimize or close it but the secure desktop you can't do jack to until you either accept to decline whatever it's asking.
replies(2): >>12464410 #>>12464524 #
4. Vendan ◴[09 Sep 16 17:22 UTC] No.12464260[source]
Trivially, in fact, KeePass does a fairly good job of it, mimicing everything down to the actual creation of a second, "secure" desktop. It's arguably more secure, though it's a little bit of a "false security", as KeePass's "Secure Desktop" is not as "secure" as the UAC and similar one, as the UAC one runs as SYSTEM, where as KeePass's runs as the current user.
5. DINKDINK ◴[09 Sep 16 17:41 UTC] No.12464410[source]
>you can make a replica of it but it won't behave the same because you'll be able to minimize or close it

but it would still achieve its purpose of phishing a root password

6. fredsted ◴[09 Sep 16 17:52 UTC] No.12464524[source]
Disable the minimize button? Hook into alt tab? There's endless opportunities!
replies(1): >>12466482 #
7. BinaryIdiot ◴[09 Sep 16 22:25 UTC] No.12466482{3}[source]
I mean sure and that may confuse the normal users. But if I remember correctly you can't override / replicate everything without administrative access. If I remember correctly ctrl + alt + del can't be overridden on the security screen. I thought there were other things as well.
replies(1): >>12467330 #
8. pritambaral ◴[10 Sep 16 02:17 UTC] No.12467330{4}[source]
ctrl+alt+del isn't overriden on the legit 'Grant Administrative Access' screen either.