(applehelpwriter.com)

1037 points 8bitben | 1 comments | 09 Sep 16 15:52 UTC | HN request time: 0s | source

Show context

tomku ◴[09 Sep 16 16:25 UTC] No.12463685[source]▶

Non-clickbait title: "How Dropbox uses the root access that you give it during installation to give itself Accessibility authorization without triggering the usual popup".

replies(7): >>12463788 #>>12463995 #>>12464020 #>>12464453 #>>12464504 #>>12466157 #>>12468163 #

thenewwazoo ◴[09 Sep 16 17:50 UTC] No.12464504[source]▶

>>12463685 #

Corrected proposed non-clickbait title: "How Dropbox fakes an authorization prompt to trick you into entering credentials that it then caches in order to bypass restrictions on what root is able to do so that it can persist a security bypass mechanism."

The first bit, for me, is key.

replies(1): >>12464920 #

toomim ◴[09 Sep 16 18:39 UTC] No.12464920[source]▶

>>12464504 #

It doesn't do that. It doesn't cache the credentials. It doesn't even see your password.

replies(1): >>12465180 #

SamBam ◴[09 Sep 16 19:06 UTC] No.12465180{3}[source]▶

>>12464920 #

How is it adding itself back to the list after being removed, then?

(Not disbelieving you at all, I just haven't understood this part.)

replies(2): >>12465249 #>>12465425 #

1. thenewwazoo ◴[09 Sep 16 19:14 UTC] No.12465249{4}[source]▶

>>12465180 #

toomim is correct. Upon reading the update, it looks like it pops an OS X auth dialog to update a file (TCC.db) which is used to bypass the normal restrictions on what the root user is able to do. This bypass is used to manipulate the AX config.

Slimy, slimy, slimy.

↑

How Dropbox Hacks Your Mac