Child Item

Serious security issue with the recent upgrade

SERIOUS SECURITY ISSUE

I have been managing Dropbox for a number of companies for 10 years or more.

The recent upgrade that was pushed out to a company I manage last Thursday 01 Sept 2022 has exposed a serious security bug in the Dropbox upgrade

After the upgrade whilst adding a Business DropBox account to a new profile on a new laptop, a folder with several subfolders unrelated to the account I was installing appeared during the sync process. The initial sync took several hours to complete but during that time the private folders from a different account in the same enterprise were visible and accessible, 117 GB of data not shared at all with the account was available without restriction. Selective sync did not list the folders as they were not shared with the account at all so could not be removed by unticking them in selective sync. When the sync process was complete the folders disappeared from the root folder but upon further examination there is now a folder in the local accounts private folder with the same folder name appended with (shared folder conflict) and it contains 53.9GB of data from the other unrelated account with access "Only You" indicating they are not copies synced back to the original folders. This account now contains data it should never have had access too and the other account holder would have no idea this had happened

Find more posts tagged with

Desktop

Security

Insightful

Disagree

Accepted answers

Toorumbee

Explanation provided by Ben, a member of the Dropbox advanced support team.

Why was brisbane able to access the "Marsupial Dropbox" folder owned by mlmdropbox?

"On the 9th of September, the Marsupial DropBox user account moved the Marsupial Dropbox folder into the Glascott Group's shared workspace. This caused it to inherit the permissions of the teams shared workspace, causing brisbane to gain access. I can see you immediately removed access however since this occurred while the computer was performing the sync, it was enough time for the client to recognise access was given and start syncing. Since access was revoked mid-sync, a shared folder conflict was automatically created and moved to your personal folder."

What Ben has discovered and explained is that if a Team folder obtains Everyone access even for as little as a few seconds, such as will happen when a folder moved to the Team space automatically inherits permissions from that Team space, in as little as a few seconds before those permissions are removed another account that normally doesn't have access to that folder can gain access if that other account is in the process of syncing data to a computer when that brief window of access is granted

In the case in question instead of access only lasting for the few seconds access was actually granted the access lasted long enough for 53.9GB of data to be downloaded into the other account and instead of it being removed when the sync process finally after several hours was blocked from further access, the 53.9 GB of data was moved to the accounts personal folder and renamed as a (shared folder conflict) giving the account full ongoing access to all that data with the original owner of the data completely unaware this security breach had happened

Essentially this means that because any folder created in or moved to the Team space is now automatically assigned Everyone access, even if you immediately remove that access and restrict access only to selected users you can never be sure whether someone who was not intended to have access can access the contents of that folder possibly for hours and then retain access to what was incorrectly sync'd as a (shared folder conflict)

All comments

Walter

Hey @Toorumbee, thanks for flagging this with us.

I don't know how this might have happened, but I'd strongly suggest reaching out to our Support team for further assistance as they're best equipped to help out with account and device specific information.

You can let me know your ticket ID once you do, so that I can locate it in our system too.

Thanks!

Toorumbee

Hi Walter

I have already raised a ticket regarding this and other issues I have found with the upgrade Ticket #18542943: TEAMS: Recent Upgrade

And when asked for my opinion regarding the upgrade I have replied 3 times to Mackenzie (Dropbox Support) <support-dropbox-business-migration@dropbox.zendesk.com> but have only had one reply to my first email that didn't really address any of my concerns regarding the upgrade

I have left the folder that shouldn't be there in the account as evidence of the problem and you can see it contains 53.9GB of data from a different account altogether and it is actually content from what is in the private folder of the other account and it is now inside the Private folder of this account and contains 3 other folders from the other account. None of those folders are shared with this account at all

Nancy

Hey @Toorumbee, I hope you don’t mind if I jump in here.

I’ve located your ticket number in the system and have left an internal note, so that our support agent knows you’ve reached out to us here.

Apart from that, I’d definitely recommend getting in touch with them again in the same email thread, so that they can continue looking into your request.

Since they have more account visibility on their end, I believe it’d be easier to check what happened this way.

If you need something else though, let me know.

Toorumbee

Hi Nancy

The only reason I posted in the community is to notify other Dropbox users of the potential for this to happen, if it can happen once it can happen again and unsuspecting users may have their data exposed to others in a way they didn't expect.

I have pursued this and several other issues related to this upgrade through raising a ticket Ticket #18542943: TEAMS: Recent Upgrade to which I see has been assigned to Mackenzie

Status: Open

Ticket #18542943

Assigned to: Mackenzie

0 Replies

There is no response to the ticket from Mackenzie

After the upgrade I got this email

"Your account has been successfully upgraded to the latest version of Dropbox Business. Please respond to this email if you have feedback on the new experience or if you encounter any issues."

I replied to this request for feedback 3 times and so far in the 2 responses from migration support Mackenzie (Dropbox Support) <support-dropbox-business-migration@dropbox.zendesk.com> I got a generic answers with basic instructions on how to use DropBox with links to Dropbox help pages. Here is an example from Mackenzie's response

------------------------------------------------------

Adding files and folders to the team space is the best way to share them with your team members, whether you want to share it with your entire team, or just a few specific people. By default, all the folders within the team shared workspace, are shared with the group which is named Everyone in (business name), with editing permissions. The group named Everyone in (business name) consists of all the team members which have been invited to your Business team account with a paid license. Content within the member folder on the other hand, which is the folder in any team member's account with their user name on it, remains private to each team member, unless shared manually from the user's end.

To be able to share the Team folders with specific people in your team account, as Team folders are accessible by all team members unless specified otherwise, you will need to remove the default group from the specific Team Folders. Please check below on how you can accomplish this:

1.Sign in to www.dropbox.com with your Admin credentials.
2.Click Admin Console.
3.Click Content tab.
4.Click Manage by the team folder that you want to adjust.
5.In the popup window that appears, You can see which Groups have access. Click "remove" on the default group named "Everyone in (business name)"

------------------------------------------------------------

I have been managing Dropbox for several companies for more than 10 years, I don't need to be told these basic instructions as if I am unaware of how Dropbox works and implying my problems are a result of my ignorance, I want answers addressed to the valid issues I have raised, but so far nothing but general instructions on how to use DropBox

Hannah

Thanks for your extra info, @Toorumbee.

I can assure you that the agent assigned to your case is working on it and you'll have a response from them soon.

Let us know if you need anything else.

Toorumbee

Explanation provided by Ben, a member of the Dropbox advanced support team.

___ver

To completed for this 90year old to understand need and nysestive to install on 24imac