←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 6 comments | 09 Sep 16 15:52 UTC | HN request time: 0s | source | bottom
Show context
tomku ◴[09 Sep 16 16:25 UTC] No.12463685[source]
Non-clickbait title: "How Dropbox uses the root access that you give it during installation to give itself Accessibility authorization without triggering the usual popup".
replies(7): >>12463788 #>>12463995 #>>12464020 #>>12464453 #>>12464504 #>>12466157 #>>12468163 #
1. thenewwazoo ◴[09 Sep 16 17:50 UTC] No.12464504[source]
Corrected proposed non-clickbait title: "How Dropbox fakes an authorization prompt to trick you into entering credentials that it then caches in order to bypass restrictions on what root is able to do so that it can persist a security bypass mechanism."

The first bit, for me, is key.

replies(1): >>12464920 #
2. toomim ◴[09 Sep 16 18:39 UTC] No.12464920[source]
It doesn't do that. It doesn't cache the credentials. It doesn't even see your password.
replies(1): >>12465180 #
3. SamBam ◴[09 Sep 16 19:06 UTC] No.12465180[source]
How is it adding itself back to the list after being removed, then?

(Not disbelieving you at all, I just haven't understood this part.)

replies(2): >>12465249 #>>12465425 #
4. thenewwazoo ◴[09 Sep 16 19:14 UTC] No.12465249{3}[source]
toomim is correct. Upon reading the update, it looks like it pops an OS X auth dialog to update a file (TCC.db) which is used to bypass the normal restrictions on what the root user is able to do. This bypass is used to manipulate the AX config.

Slimy, slimy, slimy.

5. gcr ◴[09 Sep 16 19:37 UTC] No.12465425{3}[source]
It adds a suid binary to /Library/DropboxHelperTools. This binary executes as root's effective user ID no matter who executes it and adds Dropbox to the accessibility list.

Dropbox doesn't save your password.

...But I am wondering why one of these suid binaries is world-writable.

replies(1): >>12466756 #
6. gcr ◴[09 Sep 16 23:26 UTC] No.12466756{4}[source]
ah, it turns out none of the binaries is world-writable in a default installation. My mistake.