Why does Dropbox ask for your computer password

Tricking users into giving up their admin password is unethical hacking. Dropbox needs to respond and remove this hack.

Brandon A.2

You better have a really good [removed by moderator] explanation for doing this, Dropbox.. I don't pay you to steal my login password.

Kim,

Please watch your language on these public forums or your posts could be removed or your account suspended. Your post has been edited. Thank you.

https://news.ycombinator.com/item?id=12463338

Cross-linking for reference:

This reply will be updated with other posts as they are closed and redirected here.

[Mod update December 11, 2019: updated and removed old links]

John B.194

A person claiming to be a dropbox employee responded to this on the original post downplaying the thing. I think an official statement would be nice.

I don't believe the "employee" who responded. One of the things he said was accessibility is required for badges. I removed Dropbox's accessibility access, but the badges show up just fine. I've not noticed any functionality missing.

I removed Dropbox's accessibility access, but the badges show up just fine. I've not noticed any functionality missing.

The badge appeared, but did you test its full functionality? If not, then it wasn't a valid test of the accessibility requirements.

I'm not arguing for or against either side. I'm only stating that simply seeing the badge show up is not a valid indicator that it's working properly.

Good point. One feature is not a complete test. However, I continue to use Dropbox for syncing, app access (i.e. native API access from the app) and finder/pathfinder integration all seem to work fine. Anything else I should test?

BTW, it was stated by the person claiming to be a Dropbox employee that accessibility was needed for badges. It seems reasonable to expect Dropbox to explain what access is truly required, why and how this unusual authentication process works.

The thing, Rich, is that there is absolutely no reason for Dropbox not to go through the regular security channels already in OS X. They could just as easily have used Apples APIs to do the same thing instead of doing something that is essentially a "hack". They create their own permission window which gives the illusion that it's OS X asking you, not Dropbox. It's deceitful and extremely weird.

Razvan Boxifier

@Leon N: did you test for the Dropbox Badge (Project Harmony - Microsoft Office integration) feature or the sync badges in Finder? Dropbox uses the accesibility features of the OS for the "Project Harmony" feature.

They could just as easily have used Apples APIs

According to the Dropboxer that posted on the other site, they did use Apple's API. Emphasis mine.

We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

Someone else then commented:

To clarify for others: In /Library/DropboxHelperTools, you'll find a folder for each user full of setuid tools which run as root and do various privileged things. I assume that the client is presenting the normal OS X "ask for elevated access" UI and then using that elevated access to configure and install these. (I don't work for Dropbox or anything; I've just been poking around.)

Anything else I should test?

Razvan's got it. It's not the green check or blue sync badges that go over your files. It's the Dropbox Badge feature formerly known as Project Harmony that uses accessibility features. This is used to notify you when another user opens a file that you're in, updates your document to the latest version when someone else makes a change to it, etc.

Marco P.10

There is no excuse for dropbox to re-add itself, especially after you removed the application. They are hacking users and hurting them.

Sebastian S.13

Exactly! When the user removes the permission, DB should at least ask for it again. And if it's not given (which you can only do on first install or by following the instructions of the author of the post), DB shouldn't be asking for it every time the system reboots, specially when everything works just fine without those permissions.

Looking forward for this "feature" to be removed in the near future. In the meantime my files go somewhere else.

https://techcrunch.com/2016/09/09/dropbox-responds-to-accusations-its-mac-desktop-client-hacks-os-x-security/

I've never heard of Project Harmony and don't use integration with MS Office, so I guess that's why I haven't had a problem.

I see that Dropbox has created a help article about this. Still, the approach doesn't sit well with me. I can understand that certain elevated permissions are required for some features. Dropbox is the kind of tool that needs to be integrated into the OS to provide all of the capabilities that it does. The way it goes about this is what concerns me.

It needs to be clearer about what it needs permissions for. For example, I don't recall seeing any notice that the app would automatically update itself. Every other app I use that has an autoupdate function (including macOS) asks if I want auto updates. There are very good reasons to give the user control over this function (being on a low bandwidth connection, needing to test software changes before using them in production, etc.). Also, if accessibility is only required for MS Office integration, ask if I want to use it rather than installing it and changing accessibility settings. There could be very good reasons why I wouldn't want the integration.

Dropbox also should not give itself the ability to make changes to the system that require elevated privileges without prompting. If I remove a feature like accessibility, Dropbox should not add it back without asking permission. What if a hacker figures out how to hack the Dropbox client into letting malware have the same privileges? This may be a very rare scenario, but how do the ease of use benefits outweigh the security needs? If Dropbox needs access that I took away, it can detect it and prompt me to allow it again, warning me what will break and, if appropriate, letting me keep it off permanently.

Robert S.

https://www.engadget.com/2016/09/10/dropbox-addresses-mac-app-security/

http://www.macrumors.com/2016/09/12/dropbox-responds-to-mac-security-risk-accusations/

Daniel S.48

I don't have Office. And even if I did, I wouldn't care about the integration. Dropbox should prompt users specifically for the office integration bit, and if they consent should then do the admin prompt and set up the Accessibility insertion. I still think it's a bad idea, but there's no better solution for cross-app control like that.

At the very least, Dropbox should absolutely not be so pernicious about virally restoring its Accessibility permissions. Like… literally checksumming the SQL injection executable and overwriting it on startup is insane. The only way that executable could get overwritten (but not removed) to something other than the what Dropbox created is if a user is actively trying to prevent Dropbox from doing its Accessibility tricks.

I would be a lot more OK with this situation if it were possible to opt out as a user without generating admin prompts every time I start Dropbox. I mean, it's still a massive breach of user trust, but at least it would be a tenable situation. But as things are… Dropbox is basically acting as a virus which hasn't yet done anything with its control of my computer.

Pad 4.

"Trust is the foundation of our relationship with hundreds of millions of people and businesses around the world."

https://blogs.dropbox.com/dropbox/2016/06/transparency-report-jul-dec-2015/

I would like a statement from Dropbox CEO accepting how seriously this behaviour is a betrayal of trust, explaining how Dropbox came to decide that this working in this way was acceptable, and what changes are going to be made to stop similar choices being made in the future.

Jared N.

My reaosns for this are actually true because..:

(a on one hand while the dialg asking for authentication "could" be fake, Apple takes a different view, saying this just cannot happen..

(b many app apps for authentication. not just dropbox as valid reason

and

c) The fact dropbox appears in accessibility, puts the fear into everyone thinks the whole thing its a phish attempt..

oh ya ..and

(d the dialog is miss-leading... (you can argue this for anything)

John B.194

I got a reply from support. Took them 133 hours instead of 24-48 for paying customers. And the answer was a non response that they would pass it on to development.

So disappointing...

I got an answer within 48 hours, but the answer was a template one which had nothing to do with my question. Great work, Dropbox.

Richard P.

You expect support to hand craft a reply to each of the thousands of *extra* tickets this issue caused to be raised, rather than helping people with actual problems?

Support is there for support, not for Public Relations comments. You wanted a PR reply, not support.

Robert S.

... thousands of *extra* tickets this issue caused...

Seems a bit of an excessive estimate, probably more like a couple of dozen or so.

https://developer.apple.com/reference/security/1669767-authorization_services_c#//apple_ref/doc/constant_group/Name_Tags

Richard, no, I expect them to actually give me an answer that at least has remotely to do with my question, and not a template reply that has nothing to do with anything of what I asked. They could at least craft a response that has to do with this issue, and not just push random buttons in their ticket system.

You might not see this as important or that bad, but I do. The way the company has handled this is really bad, and considering I actually pay for this service, they should be extremely transparent in what's going on, and remedy the situation ASAP. Because, as mentioned above, there is no reason for doing what they do, at least not without asking us if it's OK during install.

Jared N.

"Seems a bit of an excessive estimate, probably more like a couple of dozen or so:

Doesn't matter if it's excessive.... it should have not happened in the first place.

Just by saying .. We have to get round it, so we would rather give "full remote access to an app" is not the solution to do stuff. when u'r supposed to care about users privacy and security

This is the total reversal of what is stated on their website regarding privacy & security..

Not only is there no need for full remote access, there is also no need to fake OS X's dialog (which in my view gives the whole thing away anyway)

And Apple thought these dialogs could not be faked Well.. Dropbox did it.

Richard P.

Once again, the dialog is NOT being faked - that claim has been debunked a lot in the past week or so since the claim was made, its a perfectly normal OSX privilege raising authentication dialog.

The "fake dialog" determination was based on the fact that some of the text is misaligned and its general look and feel, but you can reproduce that with your own OSX authentication dialog by supplying the same text to the call -

https://developer.apple.com/library/mac/documentation/Security/Reference/authorization_ref/#//apple_ref/c/func/AuthorizationCopyRights

Its a proper OSX dialog, just using an older system C API available on OSX since 10.3 whereas most people have moved over to the newer ObjC and Swift based calls which look different, hence the confusion.

Robert S.

Jared, repetition of a debunked conspiracy theory doesn't make it any less so.

Kudos though to a certain no-mark blog nobodies ever heard of for the boost to their page views. Shame there's no willingness to correct the misinformation, even when a DB dev takes the time and trouble to personally reach out, but there you go.

Marcin D.

Jared as the guys have said it's not being faked. it's an older call, it's that simple. not everybody does things "modern" at times and sometimes it's more efficent to use an older call. specifically if it dont mesh with your current build, because let's say somebody fell behind,so you cant implement all the next features.

I'll never understand why people lose their minds over things such as requiring a password to elevate an install or to set a service level. rather dropbox have it, then some random hacker. least I feel safe with these guys.