Is DROPBOX Really Secure?

By Tommy Vee

To fully understand Dropbox, I have focused on understanding the inner workings (“”) of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system (“java”), as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings.

The basis for this finding has actually been briefly discussed in a number of forum posts in Dropbox’s official forum, for most people really don’t understand the significance of the way Dropbox is handling authentication. So, after breaking into my forensics-artifacts research, and to shed some light about what appears to be going on from an authentication standpoint and the significant security implications that the present implementation of Dropbox brings to the end user.

To fully understand the security implications, you need to understand how Dropbox works (for those of you that aren’t familiar with what Dropbox is – a brief feature primer can be found on their official website). Dropbox’s primary feature is the ability to “sync files across systems and devices” that you own…”automatically”, WTF! In order to support this syncing process, (the Dropbox client) is installed on a system that you wish to participate in this synchronization. At the end of the installation process the user is prompted to enter their Dropbox credentials (or create a new account) and then the Dropbox folder on your local system syncs up with the Dropbox “cloud.” The client runs constantly looking for new changes locally in your designated Dropbox folder and/or in the cloud and syncs as required; there are versions that support a number of operating systems (Windows, Mac, and Linux) as well as a number of portable devices (iOS, Android, etc). However, given my research is focusing on the use of Dropbox on a Windows system, the information I’ll be providing is Windows specific (but should be applicable on any platform).

Under Windows, Dropbox stores configuration data, file/directory listings, hashes, etc in a number of SQLite database files located in %APPDATA%\Dropbox. We’re going to focus on the primary database relating to the client configuration: config.db. Opening config.db with your favorite SQLite DB tool will show you that there is only one table contained in the database (config) with a number of rows, which the Dropbox client references to get its settings. I’m going to focus on the following rows of interest:

  • email: this is the account holder’s email address. Surprisingly, this does not appear to be used as part of the authentication process and can be changed to any value (formatted like an email address) without any ill-effects.
  • dropbox_path: defines where the root of Dropbox’s synchronized folder is on the system that the client is running on.
  • host_id: assigned to the system after initial authentication is performed, post-install. Does not appear to change over time.

After some testing (modification of data within the config table, etc) it became clear that the Dropbox client uses only the host_id to authenticate. Here’s the problem: the config.db file is completely portable and is not tied to the system in any way. This means that if you gain access to a person’s config.db file (or just the host_id), you gain complete access to the person’s Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).

Of course, if an attacker has access to the config.db file (assuming that it wasn’t sent by the user as part of social engineering attack), the assumption is that the attacker most likely also has access to all of the files stored in your Dropbox, so what’s the big deal? Well, there are a few significant security implications that come to mind:

  • Relatively simple targeted malware could be designed with the specific purpose of exfiltrating the Dropbox config.db files to “interested” parties who then could use the host_id to retrieve files, infect files, etc.
  • If the attacker/malware is detected in the system post-compromise, normal remediation steps (malware removal, system re-image, credential rotation, etc) will not prevent continued access to the user’s Dropbox. The user would have to remember to purposefully remove the system from the list of authorized devices on the Dropbox website. This means that access could be maintained without continued access/compromise of a system.
  • Transmitting the host_id/config.db file is most likely much smaller than exfiltrating all data found within a Dropbox folder and thus most likely not set off any detective alarms. Review/theft/etc of the data contained within the Dropbox could be done at the attackers leisure from an external attacker-owned system.

So, given that Dropbox appears to utilize only the host_id for authentication by design, what can you do to protect yourself and/or your organization?

  1. Don’t use Dropbox and/or allow your users to use Dropbox. This is the obvious remediating step, but is not always practical – I do think that Dropbox can be useful, if you take steps to protect your data…
  2. Protect your data: use strong encryption to protect sensitive data stored in your Dropbox and protect your passphrase (“do not store your passphrase in your Dropbox or on the same system/device”).
  3. Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the “Last Activity” time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn’t be, unlink it immediately.

Ive suggestd to the BRAVE Team on Oct 22, 2023 under the Community Forum: Future Request - Desktop BETA By JANUARY 2024 - “Happy Year BRAVE Team” additional Future Request to setup this and other privacy issues to recognize the need for additional security and add in protection mechanisms that will make it less trivial to gain long-term unauthorized access to a user’s On-Line Storage as well as provide better means to mitigate and detect an exposure. Until such time, I’m hoping that this writeup helps brings to light how the authentication method used my Dropbox may not be as secure as previously assumed and that, as always, it is important to take steps to protect your data from being compromised.
Happy Storing!

Chromium already encrypts the data, and you can’t open it on other websites, so cookies, passwords and extensions (not the data) get removed if you open the User Data in another system.

The problem is Brave can’t and won’t encrypt every file in the browser, that would be Chromium’s job, and that still won’t happen, encrypting and decrypting would make things slower, so only sensitive data should be encrypted like it is today.

The issue about Chromium encryption is that it is tied to the system, so you can use ANY program to open the data base like Nirsoft to encrypt it.
The passwords you are asked to see passwords and all, are just cosmetics, and they only protect you when doing anything inside Browser only, but they are useless. You add a master password to the browser and then what? it would be stored in Preferences or something which can be easily removed by removing the file and resetting the settings, because all files, history, bookmarks and all that are not encrypted and unless Brave changes the encryption method to be local and ignore the system one, then you will have the same access to passwords once you get rid of the master password.

Security in Brave/Chromium is fine enough, nobody has ever reported password being stolen, of course, if anyone has access to your device, well, not much to do, that’s why people have to be careful and set a real authentication for the user/system if they don’t trust people around them, and don’t open weird exes to avoid someone remotely accessing your device.

Also, Brave is still a spork, and a lot of changes have to come from upstream Chromium, Brave can’t just start changing things when they work ‘decently’ already. For example, one change they are adding, is to request password to enable Synching of passwords, but again, this will not matter on desktops, but will matter on Phones that don’t have access to the User Data unless you root the phone.

These are the issues, yeah, it is not to think Brave can make everything better, but Brave is still a spork and a small company. For example, how can Brave offer 2FA without having to store people’s information? unlike now where you just join and leave sync chains to your like.
Some crazy people want Brave accounts they can sign in with their email, but in the end, in my opinion, being more careful of what you open, or what you do in the internet will make your device more secure and safe, not Windows or Brave or whatever OS or Browser you are using.
Without Brave storing our information, how can they offer more protection?

The only thing they could add is a notice when some device joins sync chain, but that’s it, what else can Brave do that can really give more protection?

Unless the whole browser and their thousands of files get encrypted… yeah, not going to happen and then we have, veracrypt or Bitlocker, but they obviously affect speed and honestly, most people don’t need that or don’t store important files in their computer to get all paranoid about it, of course they can use it, but the most important is people learning not to open anything they download.

1 Like