{"id":1995,"date":"2011-04-21T22:53:11","date_gmt":"2011-04-21T22:53:11","guid":{"rendered":"http:\/\/www.bartbusschots.ie\/blog\/?p=1995"},"modified":"2014-08-04T16:34:51","modified_gmt":"2014-08-04T16:34:51","slug":"where-does-dropbox-store-the-host-id-on-os-x","status":"publish","type":"post","link":"https:\/\/www.bartbusschots.ie\/s\/2011\/04\/21\/where-does-dropbox-store-the-host-id-on-os-x\/","title":{"rendered":"Where Does DropBox Store the Host ID on Mac OS X?"},"content":{"rendered":"<p>The technosphere is a buzz this week with the news that DropBox&#8217;s security has a rather large and rather stupid hole in it. I&#8217;m only going to give a brief overview of the issue here, so if you&#8217;d like more details please check out the <a href=\"https:\/\/www.memonic.com\/user\/toni\/set\/all\/id\/1pXRb\" target=\"_blank\">blog post that broke the story<\/a>. What I do want to say is that this is a really infantile mistake on DropBox&#8217;s part, and the fact that they could overlook something so elementary for so long worries me a lot.<\/p>\n<p>Anyhow &#8211; the whole problem revolves around the Host ID which DropBox uses to identify a computer within your account. This code acts as both an identifier and a password, and it&#8217;s a big long string of random looking gibberish. The problem is not that this ID is easy to guess, but rather that it&#8217;s not tied to any particular machine. If a bad-guy gets their hands on the file containing this ID they can effectively clone your machine in DropBox&#8217;s eyes, and see your files in perpetuity, regardless of how many times you change your password. The only way to kill the bad guy&#8217;s access would be to de-authorise the machine who&#8217;s ID they cloned in your account pages on the DropBox website.<\/p>\n<p>The original blog post that broke this story describes in detail where you can find this ID on Windows, but doesn&#8217;t mention any other OSes. Quite a few listeners to my various podcasts have asked me if I know where the file is located on the Mac. I didn&#8217;t, but I figured it would be worth spending a little time finding the answer.<\/p>\n<p><!--more--><\/p>\n<p>The first place I looked was in the <code>Library<\/code> folder in my home folder, this is where Mac apps are supposed to store settings and state information, but DropBox doesn&#8217;t store it&#8217;s data there. Spotlight also didn&#8217;t find any settings files when I searched for &#8216;dropbox&#8217;, so I turned to the Terminal an issued the simple command:<\/p>\n<pre>\r\nfind ~\/ -name *drop*\r\n<\/pre>\n<p>The first result returned had hit pay dirt! DropBox does not do things the Mac way, but the Unix\/Linux way, given that OS X is a certified Unix OS, this is not a total shock. So, on OS X, DropBox puts it&#8217;s settings and caches in a folder called <code>.dropbox<\/code> in your home folder. Because the name of this folder starts with a <code>.<\/code>, it&#8217;s a hidden file, so you won&#8217;t see it in the Finder, however, once you know it&#8217;s there you can browse to it in the Finder easily.<\/p>\n<p>To have a look at the content of this folder, open a Finder window and either go to the <code>go<\/code> menu and select <code>Go to Folder ...<\/code>, or hit <code>cmd+shift+g<\/code>, this will pop up a little dialog that lets you enter the path you want to go to, into that text box enter <code>~\/.dropbox<\/code> and hit return. Voila, you&#8217;re in!<\/p>\n<p>This folder contains some caches and a few other things as well as a file called <\/code>dropbox.db<\/code>. The file extension suggests that it&#8217;s an SQLite database, so I fired up <a href=\"http:\/\/sqlitebrowser.sourceforge.net\/\" target=\"_blank\">SQLite Browser<\/a> to have a look inside. As expected, this file is indeed an SQLite DB, and it contains three tables, one of which is called <code>config<\/code>. This table has just 9 entries, one of which has the key <code>host_id<\/code> &#8211; mission accomplished!<\/p>\n<p><em><strong>Update:<\/strong><\/em> different versions of DropBox on the Mac store the key in different files. The file is always in <code>~\/.dropbox<\/code>, but could be called <code>config.db<\/code> or <code>dropbox.db<\/code>. As DropBox auto-update also seems to be broken, there is a wild variety of versions out there in use, and the people using old versions have no idea their versions are not current.<\/p>\n<h3>So &#8211; in short, the file you need to worry about keeping safe on the Mac is either <code>~\/.dropbox\/dropbox.db<\/code> or <code>~\/.dropbox\/config.db<\/code>.<\/h3>\n","protected":false},"excerpt":{"rendered":"<p>The technosphere is a buzz this week with the news that DropBox&#8217;s security has a rather large and rather stupid hole in it. I&#8217;m only going to give a brief overview of the issue here, so if you&#8217;d like more details please check out the blog post that broke the story. What I do want [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[12,17,446],"tags":[442,386,26],"series":[],"class_list":["post-1995","post","type-post","status-publish","format-standard","hentry","category-computers-tech","category-security","category-sysadmin","tag-cloud-service","tag-dropbox","tag-os-x"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7t9xK-wb","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts\/1995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/comments?post=1995"}],"version-history":[{"count":6,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts\/1995\/revisions"}],"predecessor-version":[{"id":7440,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/posts\/1995\/revisions\/7440"}],"wp:attachment":[{"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/media?parent=1995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/categories?post=1995"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/tags?post=1995"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.bartbusschots.ie\/s\/wp-json\/wp\/v2\/series?post=1995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}