Popular cloud sync app raises security fears

Dropbox makes it easy to sync files among devices, but a crucial weakness points to yet another soft spot in cloud security

Last September I wrote about a program called Dropbox that makes it trivially simple to synchronize files between PCs, Macs, Linux machines, iPads, iPhones, Android phones, and BlackBerrys. When you install Dropbox, you create a folder on your machine that's automatically synchronized with Dropbox folders on the other machines and with the Dropbox application on the Internet.

It's slick. I use it every day. But there's an annoying detail that's suddenly been thrust into the public eye.

Security researcher Derek Newton blogged about the problem over the weekend. To understand the nature of the issue, it helps to see how Dropbox sets up a shared folder.

Say you install Dropbox on a new PC. You pick the shared folder and give it a password. Any files dragged into the folder appear both in the folder and in the Dropbox website. Just log on to the site and provide the same email address and password that you used when you created the original folder. Dropbox encrypts the files on its website, but the files inside the synced folder are just plain files.

Now you install Dropbox on a second PC -- same process. During the installation you create a shared folder on the second PC, provide your email address and password, and it's ready to go.

Each time you fire up either PC, the shared folder is just there. You don't have to log on to anything. Dropbox looks to see if any of the files have changed on the website and, if so, synchronizes the files in the designated folder -- very easy.

You can change the password if you like. When you're logged on to the Dropbox site, click the Account link on top, then the Account Settings tab. That's where things get a bit strange.

If you change your Dropbox password, you can still get into all of the existing PC's Dropbox folders -- and you don't have to supply the new password. The new password is only required if you set up Dropbox on a new PC (or Mac or iPad or whatever).

Dropbox implements that little sleight of hand by maintaining a file on each PC called config.db. That file (it's actually a SQL Lite database) contains a key called host_id. When you start up a PC, Dropbox runs automatically. It looks in your %APPDATA% folder (in Vista and Windows 7 that's c:\Users\<username>\AppData\Roaming), goes into the Dropbox folder, and retrieves the host_id value from the config.db file. Dropbox then goes to its website and looks up your data using the host_id. If it finds the host_id, Dropbox syncs data between the folder in the cloud and the corresponding folder on your PC.

Do you see the problem?

Dropbox doesn't ask for a password. It doesn't even check to see if the config.db file originated on the current computer. It just grabs the host_id value and syncs your data.

When you install Dropbox on a new computer (or phone) and supply the correct password, the Dropbox site adds that computer to the list of linked computers for that Dropbox account. But it doesn't update that list when a computer accesses the account.

Put two and two together and you can get five. By simply copying the config.db file from one computer to another, you can get access to all of the Dropbox files -- get them automatically synced, in fact -- without supplying a password. Dropbox doesn't check to see if the config.db file originated on the computer, nor does it add the computer to the list of devices linked to the Dropbox account.

This isn't a horrible security breach, but it's an excellent example of how programming for user convenience in the cloud -- in this case, syncing data without requesting a password -- can open the door for some potential abuse.

Dropbox fans rightfully point out that swiping a config.db file from somebody is a nontrivial task. If a black hat hacker could steal information from your computer, the argument goes, why would they bother with a host_id key to get into a Dropbox account?

Dropbox's detractors decry the lack of validation, no password on sync, no verification of the pedigree of the config.db file, combined with a lack of audit controls. No list of machines accessing the Dropbox account, topped off with an ineffectual lockdown -- and changing the password doesn't change anything.

They're right, of course. Clearly Dropbox needs to do more to protect its customers.

I see two important points to be drawn from this discovery.

First, developers need to implement the same kind of controls in the cloud that they're accustomed to implementing in more traditional systems. Yes, that will make some things less convenient. So be it.

Second, storing sensitive, unencrypted information in the cloud is foolish, no matter how you slice it.

This story, "Popular cloud sync app raises security fears," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.