←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 5 comments | 09 Sep 16 15:52 UTC | HN request time: 0.025s | source
Show context
gruez ◴[09 Sep 16 16:41 UTC] No.12463849[source]
The fact that any application can spoof the os password prompt makes me wonder why they don't have a prominent feature to show the prompt is from the OS. On windows there is the secure desktop with the dimming effect.
replies(6): >>12463913 #>>12463935 #>>12463946 #>>12464205 #>>12464261 #>>12465995 #
gusmd ◴[09 Sep 16 17:23 UTC] No.12464261[source]
That reminds of how Windows asks you to press "ctrl+alt+del" before typing your account password in some situations, because other software cannot intercept ctrl+ald+del so you know the login prompt is legit.
replies(1): >>12464329 #
1. Vendan ◴[09 Sep 16 17:30 UTC] No.12464329[source]
That was actually designed to avoid typing credentials into "faked" password dialogs. The above mentioned "Secure Desktop" with dimming is not designed for that, but for the, rather hilarious, fact that it is trivial for a Windows program to hit any button on the screen it wants to. Having the permission requests pop up on a "Secure Desktop" prevents a malicious program from hitting the "Allow" button for it's own permission request. The funny part is that this is the exact kind of functionality dropbox is "hacking" itself access to.
replies(1): >>12466708 #
2. hobarrera ◴[09 Sep 16 23:16 UTC] No.12466708[source]
Dropbox isn't hacking anything. They show the legit OS dialog requesting permission, and the user complies blindly.
replies(1): >>12467281 #
3. Vendan ◴[10 Sep 16 02:02 UTC] No.12467281[source]
Hence why I put hacking in quotes...? I'm just pointing out that Dropbox is arguably jumping through hoops to get access to functionality that Windows gives to basically anything that gets a toehold on your system.
replies(1): >>12468708 #
4. hobarrera ◴[10 Sep 16 11:28 UTC] No.12468708{3}[source]
The fact that windows has even less security (though I'd like to think you exaggerated), doesn't justify this at all.
replies(1): >>12469165 #
5. Vendan ◴[10 Sep 16 13:49 UTC] No.12469165{4}[source]
It's a basic fact of the way Windows is designed. If you can get code to run on a Windows computer, you get a lot of power over that computer. Even more if the user is a local administrator. As someone that tests Windows computer network security on a regular basis, it is rather disturbing how much work you have to put into making a Windows network actually secure.