A security researcher claims that Dropbox is vulnerable to a design flaw that makes it easy for attackers to copy data from people's accounts if they obtain access to a particular file.
According to security expert Derek Newton
, after adding a computer to the sync chain, the Windows Dropbox client generates an unique host_id token and stores it in the %APPDATA%\Dropbox\config.db file.
This host_id is used to authenticate the computer with the service and, apparently, it can be easily transferred to another system and used to download a copy of the data on it.
The problem is that Dropbox does not perform any additional checks to determine if the host_id is actually located on the computer it was generated on.
Newton explains that a trojan can be configured to extract the host_id from config.db and send it to hackers for accessing the victim's data.
The only way to revoke a host_id is to unlink the corresponding computer from the Dropbox.com account. The expert advises corporate users to stop using Dropbox until the issue is fixed.
Dropbox's CTO, Arash Ferdowsi, does not agree with Mr. Newton and points out that if attackers obtain access to the system via a trojan or some other way, the data can already be considered compromised.
This is a valid argument, but it is also true that copying a few gigabytes of data through a trojan is significantly harder and more prone to detection than stealing a simple token and using to download the information directly on a remote computer.
Ferdowsi is not completely dismissive of the issue and promises that the Dropbox team will carefully consider methods of improving the authentication and will introduce them in future versions of the client.
Using more complex tokens, as well as better file permissions and obfuscation are some of the possibilities. However, linking the token to the system in some way in order to prevent it from being ported is probably the best solution.