Dropbox to Fix Host ID Security Issue

In a blog post clarifying some recent Terms of Service (TOS) changes, Dropbox also promises to make it impossible for attackers to steal the host_id from one computer and access the associated account on another.

Earlier this month, security expert Derek Newton revealed that hackers can easily download all files in people's Dropbox accounts if they steal the application's configuration file from their computers.

This file contains an unique value called "host_id" that gets generated when the computer is first linked with a Dropbox account.

The problem with this value is that it's not system-dependent, meaning it's not tied to a particular computer or configuration.

If an attacker can obtain this piece of information, via malware, a backdoor or physical access, they can insert it into their own config.db file and download all files from the victim's account.

Dropbox dismissed this as a vulnerability, arguing that if a hacker obtains unrestricted access to a system, which is required to steal the host_id, the data on that computer is already compromised.

In theory this is true, but in practice it would be much harder for an attacker to siphon out many gigabytes of data from a network without the traffic being detected than downloading it directly from Dropbox's servers.

In conclusion, while the host_id portability issue is not a vulnerability in itself, it is clearly something that makes data theft attacks more trivial.

"Unfortunately, when something like this happens, all applications and data on the computer are at risk. That said, we have developed ways to provide greater protection for Dropbox accounts on compromised computers," Drew Houston and Arash Ferdowsi, the company's founders write.

"[...] Last week’s update to the Dropbox desktop app sets more restrictive permissions on the folder that stores the authentication file, and we will soon provide a solution that will make the authentication file useless on a second computer," they announce.

It's good to see that despite having a valid argument against the seriousness of this problem, Dropbox is still willing to invest time and resources to make life harder for attackers even when full system compromise occurs.