←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 2 comments | 09 Sep 16 15:52 UTC | HN request time: 0s | source
Show context
fifafu ◴[09 Sep 16 16:58 UTC] No.12464018[source]
One thing to note: For non-sandboxed apps like Dropbox, the Accessibility API permissions don't really decrease security by a lot (in my opinion).

Most bad things can be done without the Accessibility API, e.g. apps can act as key loggers, take screenshots, encrypt all files your user can access, upload arbitrary things (unless you have a firewall enabled), synthesize mouse & keyboard events etc.

The Accessibility API makes some of those things easier, but if someone really wanted to attack you, he wouldn't need the Accessibility API.

For sandboxed apps the situation is quite different, because the Accessibility API would allow those apps to break out of the sandbox.

But of course Dropbox should have asked the user...

replies(1): >>12464326 #
1. eridius ◴[09 Sep 16 17:30 UTC] No.12464326[source]
> apps can act as key loggers

I thought that required accessibility access?

replies(1): >>12464368 #
2. fifafu ◴[09 Sep 16 17:34 UTC] No.12464368[source]
no, only if you use the cocoa/carbon apis. Using IOKit it doesn't need access to the Accessibility API. However IOKit is blocked for sandboxed applications.