Archive for Dropbox

Dropbox Sign Has Been Pwned…. And It’s Not Good If You’re A User Of This Service

Posted in Commentary with tags , on May 3, 2024 by itnerd

If you pay a visit to this link, you’ll see that Cloud storage firm Dropbox has disclosed that hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information:

On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.

For those who received or signed a document through Dropbox Sign, but never created an account, email addresses and names were also exposed. Additionally, if you created a Dropbox Sign or HelloSign account, but did not set up a password with us (e.g. “Sign up with Google”), no password was stored or exposed. We’ve found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information.  

From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.

Well, that’s pretty bad. But at least they admitted to it rather than kicking that can down the road for as long as they could get away with doing so. Melvin Lammerts, Hacking Lead, Hadrian had this to say:


“Dropbox was upfront about their security breach, which is good. The fact that hackers gained access through a backend service account is worrisome. The leaked customer information could lead to possible account takeovers, highlighting the importance of robust security measures for backend service accounts and effective methods for detecting unusual activity. This incident demonstrates why companies need to be constantly testing their security in all systems, including those not (fully) publicly accessible.”

Ted Miracco, CEO, Approov Mobile Security:

   “Considering this is the second breach in two years, a comprehensive security review of Dropbox’s entire ecosystem is advisable. This review should be conducted with external cybersecurity experts to ensure impartiality and a fresh perspective on security challenges. Dropbox has already taken some crucial initial steps such as resetting users’ passwords, logging users out of devices, and rotating API keys and OAuth tokens. These actions are essential to securing accounts and preventing further unauthorized access.”

If you use Dropbox Sign, you might want to put your head on a swivel for the next little while as I am certain that secondary attacks are coming. As for Dropbox, the fact that they put this out there is good. But they will have a lot of questions that they need to answer in the coming days and weeks, along with reassuring their customers that this won’t happen again because they’ve taken all required steps to secure customer data.

Leave a comment »

If You Use Dropbox, It Could Be Sending Your Data To Open AI

Posted in Commentary with tags on December 13, 2023 by itnerd

From the “like seriously??” department comes news that Dropbox may be sending your data to Open AI:

On Wednesday, news quickly spread on social media about a new enabled-by-default Dropbox setting that shares your Dropbox data with OpenAI for an experimental AI-powered search feature. Dropbox says that user data shared with third-party AI partners isn’t used to train AI models and is deleted within 30 days.

Even with assurances of data privacy laid out by Dropbox on an AI privacy FAQ page, the discovery that the setting had been enabled by default upset some Dropbox users. The setting was first noticed by writer Winifred Burton, who shared information about the Third-party AI setting through Bluesky on Tuesday, and frequent AI critic Karla Ortiz shared more information about it on X.

Ortiz expressed worries that the data might be trained secretly without consent. In its FAQ, Dropbox contradicts this claim, saying, “We won’t let our third-party partners train their models on our user data without consent.”

Either way, communication about the change could have been clearer. AI researcher Simon Willison wrote, “Great example here of how careful companies need to be in clearly communicating what’s going on with AI access to personal data.”

Yikes! That’s really bad. Now Dropbox has not provided a comment beyond the FAQ above. Thus I will be interested to see what they say and how they handle this. But if this bothers you, and it should, then here’s how you opt out of this:

Disabling the feature is easy if you prefer not to share Dropbox data with OpenAI. Log into your Dropbox account on a desktop web browser, then click your profile photo > Settings > Third-party AI. This link may take you to that page more quickly. On that page, click the switch beside “Use artificial intelligence (AI) from third-party partners so you can work faster in Dropbox” to toggle it into the “Off” position.

Dropbox better have a good reason for this because right now, this is sketchy AF as the kids say.

Leave a comment »

Does Dropbox Pose A Security Risk?

Posted in Commentary with tags on September 12, 2016 by itnerd

That is what a report on Hacker News claims. In short, the report claims that Dropbox on the Mac platform appears in the Security & Privacy tab for Accessibility, despite the fact that users are never prompted to grant access to the features. Here’s a video that demonstrates this in action:

I tried this on my Mac and I was able to replicate this behavior….. And I am not amused. Dropbox clearly is feeling the heat as they responded to this on Hacker News, in short saying that it only asks for the permissions it needs and uses the Accessibility features for certain app integrations like Office, although the permissions aren’t as “granular” as the company would like.

My $0.02 worth? Like I said, I am not amused by this behavior. Given that this is the same company behind Project Infinite which some people say would open up your computer to getting pwned on a massive scale, not to mention that the company was the victim of a massive hack of over 60 million Dropbox accounts back in 2012 which required the company to force a password reset, I really don’t think that anyone should give the company a free pass on this issue. There are lots of apps on the Mac platform that want permissions like these, but they ask for them as opposed to just doing whatever it pleases. It also begs the question as to what it does on other operating systems, like Windows for example.

Now if you excuse me, I’m going to remove Dropbox from my Mac as I don’t like having security risks on computers that I rely upon.

UPDATE: I’ve gone one step further and deleted my Dropbox, effectively closing my account. The more I thought about it, the more that this is a security risk that I want no part of. It’s not just the fact that Dropbox asks for permissions on your Mac without user intervention, it’s is the fact that some evil doer could leverage that to do something really bad. That’s a chance that I will not take.

Leave a comment »

Dropbox Scans Your Files For DMCA Violations…. Should You Care?

Posted in Commentary with tags , on March 31, 2014 by itnerd

Is this creepy? Or does Dropbox have the right to scan your files for violations of the Digital Millennium Copyright Act (DMCA)? That’s the question being asked right now as a user of Dropbox got a bit of a surprise as he told ARS Technica:

The whole kerfuffle started yesterday evening, when one Darrell Whitelaw tweeted a picture of an error he received when trying to share a link to a Dropbox file with a friend via IM. The Dropbox web page warned him and his friend that “certain files in this folder can’t be shared due to a takedown request in accordance with the DMCA.”

Whitelaw freely admits that the content he was sharing was a copyrighted video but still expressed surprise that Dropbox was apparently watching what he shared for copyright issues. “I treat [Dropbox] like my hard drive,” he tweeted. “This shows it’s not private, nor mine, even though I pay for it.”

Here’s what Dropbox had to say:

Dropbox did confirm to Ars Technica that it checks publicly shared file links against hashes of other files that have been previously subject to successful DMCA requests. “We sometimes receive DMCA notices to remove links on copyright grounds,” the company said in a statement provide to Ars Technica. “When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes.”

Dropbox added that this comparison happens when a public link to your file is created, and that “we don’t look at the files in your private folders and are committed to keeping your stuff safe.” The company wouldn’t comment publicly on whether the same content-matching algorithm was run on files shared directly with other Dropbox users via the service’s account-to-account sharing functions, but the wording of the statement suggests that this system only applies to publicly shared links.

And this is not a new behavior from Dropbox:

Dropbox has also been making use of file hashing algorithms for a while now as a means of de-duplicating identical files stored across different users’ accounts. That means that if I try to upload an identical copy of a 20GB movie file that has already been stored in someone else’s Dropbox account, the service will simply give my account access to a version of that same file, rather than forcing me to upload an identical version. This not only saves bandwidth on the user’s end, but significant storage space on Dropbox’s end as well.

Some researchers have warned of security and privacy concerns based on these de-duplication efforts in the past, but the open source Dropship project attempted to bend the feature to users’ advantage. By making use of the file hashing system, Dropship effectively tried to trick Dropbox into granting access to files on Dropbox’s servers that the user didn’t actually have access to. Dropbox has taken pains to stop this kind of “fake” file sharing through its service.

What’s my take? I have a Dropbox account and I have no, as in zero expectation of privacy. If I entrust my data to a third party, I fully expect that at some point they’ll take a look at it. In short, I feel that a third party service like Dropbox should not be treated like your hard drive and they do have the right to make sure that the service isn’t being used for illegal purposes. But I can see how some might see this as being creepy. Thus I think there needs to be more education of users so that these sorts of issues do not flare up and spin out of control because the service in question is trying to do something to protect itself from a potential lawsuit or something similar.

Leave a comment »

Woman Gets Phone Stolen. Then Nude Selfies Appear In Her Dropbox

Posted in Commentary with tags , , , on January 17, 2014 by itnerd

Imagine this. Your phone gets stolen and you report it to the cops. You then get the phone replaced and you go on with life. That’s what happened to Victoria Brodsky. Apparently her Samsung Galaxy S3 and her wallet were stolen at a street festival and she moved on when she got her phone got replaced.

Then this happens according to news.com:

For in her Dropbox she discovered images and footage of a naked couple. Brodsky herself wasn’t a party to this writhing party. The dates on the images suggested that they had been taken between the time her phone had disappeared and a replacement had arrived.

She had, indeed, linked her Galaxy with her Dropbox, and here were images of trouser-dropping carnality from another galaxy.

The lady and gentleman in question look broodily into the camera. As for the videos, Brodsky told the Daily News: “Sex looks very boring in their house.”

That’s right. It appears that the couple have been using the stolen phone which is set to auto load photos to Brodsky’s Dropbox account to shoot some nude selfies. This of course is getting all sorts of attention. Except from the police who will not act on this because she can’t prove that the frolicking couple stole the phone. I find that to be lame because at the very least, they’re in possession of stolen property which the last time I checked was illegal. Hopefully now that this story is going viral on the Internet, the cops will actually do something about this. Or the couple who’s pictures are now all over the Internet have the good sense to turn themselves in…. Assuming someone doesn’t turn them in.

Leave a comment »

Dropbox Explains And Apologizes For Outage

Posted in Commentary with tags on January 13, 2014 by itnerd

If you’re a user of the popular cloud storage service known as Dropbox, you might have not be able to use it late last week. Now the service could have easily swept this under the rug, but they didn’t. Instead they’ve been shockingly transparent. Two blog posts have gone up to explain what happened. Here’s what you need to know:

On Friday at 5:30 PM PT, we had a planned maintenance scheduled to upgrade the OS on some of our machines. During this process, the upgrade script checks to make sure there is no active data on the machine before installing the new OS.

A subtle bug in the script caused the command to reinstall a small number of active machines. Unfortunately, some master-slave pairs were impacted which resulted in the site going down.

Just as important, they said this:

We’re sorry for the trouble this caused, and we thank you for your patience and support.

I applaud this level of transparency as Dropbox admitted that they had an issue, explained what it was, and apologized. It is refreshing to see this as companies often have to be shamed into doing this, if they do it at all. That makes me want to continue to use Dropbox as clearly they have their users interests in mind.

Leave a comment »