How Dropbox Hacks Your Mac

(applehelpwriter.com)

1037 points 8bitben | 4 comments | 09 Sep 16 15:52 UTC | HN request time: 0.04s | source

Show context

tomku ◴[09 Sep 16 16:25 UTC] No.12463685[source]▶

Non-clickbait title: "How Dropbox uses the root access that you give it during installation to give itself Accessibility authorization without triggering the usual popup".

replies(7): >>12463788 #>>12463995 #>>12464020 #>>12464453 #>>12464504 #>>12466157 #>>12468163 #

hyh1048576 ◴[09 Sep 16 16:35 UTC] No.12463788[source]▶

>>12463685 #

Great summary. But it's still some kind of hack.

If every app I installed did this then my mac is closer to getting hacked.

Anyway, Apps that asks for root password on installation always makes me cringe, e.g. they could turn on SSH and put a pubkey into authorized_keys, or they could upload SSH identity files. But I still proceed to enter my password.

replies(2): >>12463814 #>>12463870 #

gruez ◴[09 Sep 16 16:38 UTC] No.12463814[source]▶

>>12463788 #

How's that any different compared to Linux? AFAIK apt packages can run arbitrary scripts as root.

replies(4): >>12463950 #>>12463964 #>>12463969 #>>12464438 #

0x0 ◴[09 Sep 16 17:44 UTC] No.12464438[source]▶

>>12463814 #

No respectable package would put up a fake sudo prompt only to stash away your password for later use.

replies(1): >>12465562 #

1. Kadin ◴[09 Sep 16 19:54 UTC] No.12465562[source]▶

>>12464438 #

It's a good thing Dropbox isn't doing that, then.

replies(1): >>12468192 #

2. tigershark ◴[10 Sep 16 07:51 UTC] No.12468192[source]▶

>>12465562 (TP) #

Then please explain how it manages to set the accessibility privilege at every login after the user explicitly revokes it. I can see only two options:

1) the Dropbox client stores the password and uses it to hack the accesses db at every login.

2) the Dropbox client runs as root and does the same thing.

Both options are simply terrible from a security point of view

replies(2): >>12468564 #>>12468701 #

3. johncolanduoni ◴[10 Sep 16 10:15 UTC] No.12468564[source]▶

>>12468192 #

Not sure if this is how they do it, but OS X has another option (which is in fact recommended by Apple for all tasks needing elevated permissions): installation of a privileged helper tool.[1] The helper tool communicates with the main app via IPC, ideally such that the only things the app can ask are precisely the things it's supposed to do (e.g. the helper will only sneak in accessibility for the dropbox app, and nobody else). The helper tool removes a lot of the surface area for security holes, assuming the IPC protocol is well written (not something like "here's this string, run it as a shell command with root privileges).

[1]: https://developer.apple.com/library/mac/documentation/Securi...

4. danieldk ◴[10 Sep 16 11:23 UTC] No.12468701[source]▶

>>12468192 #

3) Dropbox installs some helper programs with the SUID bit set.

And this is what they actually do.

    % ls -l /Library/DropboxHelperTools/Dropbox_u501
    total 256
    -r-s--x--x  1 root  wheel    9632 Sep  8 20:10 dbaccessperm
    -r-s--x--x  1 root  wheel  116668 Sep  8 20:10 dbfseventsd

(Note the SUID bit and the root owner, meaning that these binaries will run with the root UID when started by a normal user.)

↑