←back to thread

How Dropbox Hacks Your Mac

(applehelpwriter.com)
1037 points 8bitben | 1 comments | 09 Sep 16 15:52 UTC | HN request time: 0.206s | source
Show context
newhouseb ◴[09 Sep 16 18:15 UTC] No.12464730[source]
Hi HN — Ben from Dropbox here on the desktop client team. Wanted to clarify a few things —

- Clearly we need to do a better job communicating about Dropbox’s OS integration. We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that.

- We only ask for privileges we actively use -- but unfortunately some of the permissions aren’t as granular as we would like.

- We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions).

- We use elevated access for where the built-in FS APIs come up short. We've been working with Apple to eliminate this dependency and we should have what we need soon.

- We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

- We check and set privileges on startup — the intent was to make sure Dropbox is functioning properly, works across OS updates, etc. The intent was never to frustrate people or override their choices.

We’re all jumping on this. We’ll do a better job here and we’re sorry for any anger, frustration or confusion we’ve caused.

replies(30): >>12464748 #>>12464757 #>>12464795 #>>12464842 #>>12464871 #>>12464901 #>>12464973 #>>12464992 #>>12465003 #>>12465065 #>>12465178 #>>12465579 #>>12465584 #>>12465819 #>>12465975 #>>12466068 #>>12466126 #>>12466141 #>>12466143 #>>12466315 #>>12466502 #>>12466626 #>>12466822 #>>12468525 #>>12468769 #>>12468833 #>>12469145 #>>12470515 #>>12473045 #>>12481821 #
seanhunter ◴[09 Sep 16 18:19 UTC] No.12464757[source]
It's very strange that after I remove Dropbox from the accessibility list you think it's ok to add it back in again. That's the reason I'll be closing my account.
replies(4): >>12465297 #>>12465446 #>>12465874 #>>12466349 #
jimmaswell ◴[09 Sep 16 20:37 UTC] No.12465874[source]
Why would you even do that? What nefarious and yet undiscovered things did you think DropBox was likely to do specifically with the accessibility permission?

Permission systems in general seem like a solution without a problem to me. Nobody but a minority of people very concerned about theoretical security problems wanted them on platforms that didn't have them, almost nobody cares what permissions programs use on platforms that have them now, and people get along perfectly fine and with less inconvenience shoved in their face running programs without permissions systems aside from a simple admin rights/no admin rights today on Windows and Linux.

replies(4): >>12465969 #>>12466109 #>>12466456 #>>12466916 #
1. __jal ◴[09 Sep 16 22:20 UTC] No.12466456[source]
> and people get along perfectly fine and with less inconvenience shoved in their face running programs without permissions systems aside from a simple admin rights/no admin rights [...]

...For values of "perfectly fine" that include millions of malware slaves on the net, hundreds of millions of stolen passwords, targeted 0 days attacking human rights workers, file-encryptor extortion apps, etc. etc. etc.

> What nefarious and yet undiscovered things

If they're undiscovered, how am I supposed to list them?

As far as discovered things, the permission allows Dropbox to sniff the keyboard and interact with any other application as the user. Add that to unrestricted filesystem access, and the right question to ask is what nefarious things Dropbox can't do.