Dropbox security issue

Posts: 499
Joined: Sun Aug 12, 2007 11:16 pm
Platform: Mac
Location: Auburn, AL USA

Tue Sep 13, 2016 11:50 pm Post

I've checked and what he says is right. Dropbox has taken for itself the ability "to control [my] computer." I quote from the first linked article below:

No, I can assure you that your memory isn’t faulty. You don’t remember doing that because Dropbox never presented this dialog to you, as it should have:
That’s the only officially supported way that apps are allowed to appear in that list, but Dropbox never asked you for that permission. I’ll get to why that’s important in a moment, but if you have the time, try this fascinating experiment: try and remove it.

Ok, you say, no problem. We all know how to do that – open the padlock, un-click the checkbox. Click the ‘-‘ button to remove it from the list. Simple, right? Look there it goes, no more Dropbox in the the Preferences panel, right?

Wrong…like a bad penny it’ll be back again before you know it. Either log out and log back in again or quit Dropbox and restart it. Dropbox will surreptitiously insert itself back in to that list AND the checkbox will be checked....
That leaves a couple of questions. First, why does it matter, and second, is there any way to keep using Dropbox but stop it having access to control your computer?

There’s at least three reasons why it matters. It matters first and foremost because Dropbox didn’t ask for permission to take control of your computer. What does ‘take control’ mean here? It means to literally do what you can do in the desktop: click buttons, menus, launch apps, delete files… . There’s a reason why apps in that list have to ask for permission and why it takes a password and explicit user permission to get in there: it’s a security risk.

http://applehelpwriter.com/2016/07/28/r ... rity-hack/

http://www.chronicle.com/blogs/profhack ... -you/62785

Read the article for further details on just how serious a security risk this is. The writer also tells you how to remove the risk.

There really isn’t any excuse for Dropbox to ride roughshod over users’ security and preference choices. So that leaves us with just one last question: how to get Dropbox out of there? The short answer is that you first uninstall Dropbox (see my procedure here), then remove it from the Accessibility pane (see the description in paragraph 4 above or watch the video). Now you can re-install it, but you hit ‘Cancel’ when it asks you for an admin password:

The dialog box apparently lies (again, still trusting this big name firm?) when it says Dropbox won’t work properly and clearly deceives because this is NOT the dialog box that Dropbox should be showing you to get access into Accessibility. Indeed, even with your admin password, it still shouldn’t be able to get into Accessibility. Clearly Dropbox’s coders have been doing some OS X hacking on company time.

Later, he offers a simpler way to get rid of the problem:

How to remove Dropbox from Accessibility prefs:

Since writing this post and the follow up to it showing how Dropbox hacks your mac, I’ve discovered a simpler way to thwart Dropbox’s insistence on being in Accessibility:

1. Quit the Dropbox app in the status bar.
2. Delete /Library/DropboxHelperTools folder.
3. Remove Dropbox from Accessibility in Sys Prefs Security & Privacy
4. Log out and log back in to your mac user account.
5. After that, you should see this (screenshot below); press ‘Cancel’ – and you’re done*.

http://applehelpwriter.com/2016/07/28/r ... ment-27348

Creepy, really creepy. Dropbox works fine with that disabled, or at least it does everything users want it to do. I wonder if Dropbox is doing what a Swiss company, Crypto AG did on the CIA payroll. That might also explain Apple's laggardly response to this issue.

According to declassified (but partly redacted) US government documents released in 2015, in 1955, Crypto AG's founder Boris Hagelin and William Friedman entered into an unwritten agreement concerning the C-52 encryption machines that compromised the security of some of the purchasers.


We'll see max OS 10.12 fixes this giant security hole.

User avatar
Posts: 1223
Joined: Sat Nov 06, 2010 1:55 pm
Platform: Mac, Win + iOS
Location: Monroe, WA 98272 (CN97au)

Wed Sep 14, 2016 12:39 am Post

There's a great link to a less inflammatory discussion of this issue (as well as a rebuttal of several factual errors) here in our own forums:

Devin L. Ganger, WA7DLG
Not a L&L employee; opinions are those of my cat
Winner "Best in Class", 2018 My First Supervillain Photo Shoot