Dropbox is one of the most used collaborative tools and most of us have been liberal when it comes to giving access to the Dropbox app to access our file systems. While it might not always be dangerous to give access to your favorite apps but here is how one could get your Mac hacked via DropBox.
Considering that you have your Dropbox installed head over to System Preferences> Security & Privacy>Accessibility tab. Now have you noticed the “lock” icon circled on the image, does this really mean that you have given permission for the app earlier to control the computer? The folks at applehelpwriter who tried this out say that Dropbox has never asked them for the access control yet somehow it has control over the computer.
As detailed out, in the next step just try revoking the permission and see if it really works. Go to the “padlock” symbol and uncheck the tick box. This is expected to revoke Dropbox permission to access your Mac. Now try logging out and logging in again, also try restarting the Dropbox app. Now go the System Preferences and behold, you will be surprised to see that Dropbox would have eventually appeared back in the list.
The most intriguing part here is how could Dropbox gain access without going through the usual protocol of asking permission from the users and what exactly does the term “taking control” means in this context. By taking control the app will reportedly have complete access (via the accessibility) to your computer and can do any of the operations including click buttons, menus, launch apps and deleting files. By now you might have realized that this is a fatal threat that can be executed by attackers.
That said, there have been no untoward incidents reported wherein Dropbox was at fault but again Dropbox still has the control over your machine and it also means that the app has overridden users and Apple’s security preferences without consent. The possibility of Dropbox storing your Admin password in its own caches or giving itself complete root privileges cannot be ruled out.
In order to deny the permissions for Dropbox, you need to re-install it and again when it asks you to enter computer admin password for Dropbox to work properly, hit cancel. Now it might be a pain canceling the dialog box every time it appears but it’s better than a root access to your Mac. The bottom line, don’t trust the apps blindly always be sure of what permissions you have granted for the app.
Update: Dropbox has finally responded to the accusation and completely rejected the claims of any wrongdoing. This is what a Dropbox spokesperson had to say:
Dropbox, like other apps, requires additional permissions to enable certain features and integrations. The operating system on a user’s device may ask them to input their password to confirm. Dropbox never sees or receives these passwords. Reports of Dropbox spoofing interfaces, or capturing system passwords are absolutely false. We realize that we can do a better job communicating how these permissions are used, and we’re working on improving this.