Major Dropbox security flaw discoveredApril 13, 2011 – 5:56 AM
Dropbox is a popular tool used to sync files between multiple computers and devices that a user owns. A user installs the software, designates a folder to keep syncronized, and is able to access those files among other machines that they own. The tool was even picked as one of the top ten tools that every PC should have installed.
Unfortunately, it appears that the tool has a major security flaw in it that could expose your files to everyone on the Internet. According to security specialist Derek Newton, the issue stems from the fact that the tool uses a simple configuration file to link all of the Dropbox machines together. The file, config.db, is a small table that contains only three fields: email, dropbox_path, and host_id. Since the host_id is not actually tied to a specific host and does not appear to change over time, an attacker could create a piece of malware that silently locates and sends back the config.dh file. The attacker would then be able to start up a copy of Dropbox with the stolen config file in place and instantly be part of the victim’s mesh of computers. The tool does not notify the user of how many machines are connected, so the victim would have no way to know that their files were being stolen.