Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, April 28, 2011

Dropbox 1.2 Experimental Build Fixes Security Issue

Attackers could use the file on any other computer with Dropbox to download all files of the original owner, without entering the Dropbox login credentials or notifications in the Dropbox dashboard that another device was used to download the data.  Dropbox 1.2 introduces a new encrpyted database format to “prevent unauthorized access to local Dropbox client database” in addition to the security enhancements.  This is related to the security issue, as the user who discovered the vulnerability in first place did uncover it by analyzing the local Dropbox client database.

The issue caused quite the controversy among users, as it could only be exploited if an attacker was able to get access to the computer.  And with access, come all kinds of power including the ability to snag files directly from the local computer.

That update is now available in form of an experimental Dropbox 1.2 build for all supported desktop operating systems.  Cautious users may consider waiting for the final release of Dropbox 1.2 before updating to the new version.

It took Dropbox less than two weeks to develop the means to protect the configuration files and databases on the local system.

Posted on 04/28