The technosphere is a buzz this week with the news that DropBox’s security has a rather large and rather stupid hole in it. I’m only going to give a brief overview of the issue here, so if you’d like more details please check out the blog post that broke the story. What I do want to say is that this is a really infantile mistake on DropBox’s part, and the fact that they could overlook something so elementary for so long worries me a lot.
Anyhow – the whole problem revolves around the Host ID which DropBox uses to identify a computer within your account. This code acts as both an identifier and a password, and it’s a big long string of random looking gibberish. The problem is not that this ID is easy to guess, but rather that it’s not tied to any particular machine. If a bad-guy gets their hands on the file containing this ID they can effectively clone your machine in DropBox’s eyes, and see your files in perpetuity, regardless of how many times you change your password. The only way to kill the bad guy’s access would be to de-authorise the machine who’s ID they cloned in your account pages on the DropBox website.
The original blog post that broke this story describes in detail where you can find this ID on Windows, but doesn’t mention any other OSes. Quite a few listeners to my various podcasts have asked me if I know where the file is located on the Mac. I didn’t, but I figured it would be worth spending a little time finding the answer.
The first place I looked was in the
Library folder in my home folder, this is where Mac apps are supposed to store settings and state information, but DropBox doesn’t store it’s data there. Spotlight also didn’t find any settings files when I searched for ‘dropbox’, so I turned to the Terminal an issued the simple command:
find ~/ -name *drop*
The first result returned had hit pay dirt! DropBox does not do things the Mac way, but the Unix/Linux way, given that OS X is a certified Unix OS, this is not a total shock. So, on OS X, DropBox puts it’s settings and caches in a folder called
.dropbox in your home folder. Because the name of this folder starts with a
., it’s a hidden file, so you won’t see it in the Finder, however, once you know it’s there you can browse to it in the Finder easily.
To have a look at the content of this folder, open a Finder window and either go to the
go menu and select
Go to Folder ..., or hit
cmd+shift+g, this will pop up a little dialog that lets you enter the path you want to go to, into that text box enter
~/.dropbox and hit return. Voila, you’re in!
This folder contains some caches and a few other things as well as a file called dropbox.db. The file extension suggests that it's an SQLite database, so I fired up SQLite Browser to have a look inside. As expected, this file is indeed an SQLite DB, and it contains three tables, one of which is called
config. This table has just 9 entries, one of which has the key
host_id - mission accomplished!
Update: different versions of DropBox on the Mac store the key in different files. The file is always in
~/.dropbox, but could be called
dropbox.db. As DropBox auto-update also seems to be broken, there is a wild variety of versions out there in use, and the people using old versions have no idea their versions are not current.