Most active commenters
  • Dylan16807(3)

←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 14 comments | 09 Sep 16 15:52 UTC | HN request time: 0.227s | source | bottom
1. Dylan16807 ◴[09 Sep 16 17:05 UTC] No.12464088[source]
I don't really understand the conclusion here. So the scenario is you trust dropbox with your files, and you trust them with a kernel blob implementing the filesystem, but you don't trust them to silently have accessibility rights?
replies(3): >>12464120 #>>12464611 #>>12464701 #
2. lm2s ◴[09 Sep 16 17:08 UTC] No.12464120[source]
You're assuming everyone trusts Dropbox with all their files and that everyone installs their kernel extension, which is a wrong assumption.
replies(1): >>12464197 #
3. Dylan16807 ◴[09 Sep 16 17:16 UTC] No.12464197[source]
If we're worried about theoretical abuse, the client could access all of your files because it runs as you.

You can opt out of the kernel extension? Still, you give it root to install, and it has a long history of hacking the file browser to get icon overlays... it seems weird to me that this would be a deciding factor.

replies(1): >>12464264 #
4. lm2s ◴[09 Sep 16 17:23 UTC] No.12464264{3}[source]
I was under the impression that the kernel extension was a separate product, it's being included in the standalone Dropbox application? You do have a point about giving it administrator privileges, the post however shows very clearly that they are abusing your trust which is enough for people to think twice before using their application..
replies(1): >>12464335 #
5. eridius ◴[09 Sep 16 17:30 UTC] No.12464335{4}[source]
What kernel extension? Dropbox has a Finder plugin for badges, but what would they need a kernel extension for?
replies(1): >>12464474 #
6. 0x0 ◴[09 Sep 16 17:47 UTC] No.12464474{5}[source]
This kernel extension:

/Library/Extensions/Dropbox.kext

And good question.

replies(2): >>12464559 #>>12464804 #
7. danieldk ◴[09 Sep 16 17:56 UTC] No.12464559{6}[source]
I don't see that on my Mac, probably a different client version. I guess it's related to Project Infinite:

https://blogs.dropbox.com/tech/2016/05/going-deeper-with-pro...

8. DINKDINK ◴[09 Sep 16 18:01 UTC] No.12464611[source]
>you trust dropbox with your files, and you trust them with a kernel blob implementing the filesystem, but you don't trust them to silently have accessibility rights?

The problem here isn't that you don't trust them to have accessibility rights, it's that Dropbox has phished your root password, stored it, and will continue to modify your system to meet it's desired operating criteria.

replies(1): >>12465220 #
9. angryasian ◴[09 Sep 16 18:12 UTC] No.12464701[source]
Trusting them with some files that you knowingly add vs giving them root permissions and password are two totally different things.
10. _razvan ◴[09 Sep 16 18:25 UTC] No.12464804{6}[source]
The kernel extension implements Dropbox Infinite.
11. plttn ◴[09 Sep 16 19:11 UTC] No.12465220[source]
>- We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

Direct from the DB engineer at top of thread.

replies(1): >>12465492 #
12. DINKDINK ◴[09 Sep 16 19:46 UTC] No.12465492{3}[source]
If that's the case, How is it that the accessibility preferences are changed without root authorization?
replies(1): >>12466658 #
13. gumby ◴[09 Sep 16 23:05 UTC] No.12466658{4}[source]
Presumably with one of the suid executables you authorized when you typed your root password to the dialogue.

And one of them is writable by anyone -- great security, guys!

replies(1): >>12469241 #
14. Dylan16807 ◴[10 Sep 16 14:02 UTC] No.12469241{5}[source]
Does OS X not clear suid when a file is written to?