How Dropbox hacks your mac

Wow, this is <i>really</i> bad. There is no need for it as Apple has an API for finding out which files have changed. I assume they do this simply to animate the little icon in the Finder (since I don&#x27;t think anyone else does anything like it, and it was a famous question by Jobs to the DB founders). Although the author&#x27;s follow on article suggest it&#x27;s just for future use!<p>I guess that&#x27;s it for Dropbox for me. Though as the author says, they&#x27;re not going to care.

Wow, this is really impressively brazen. A faked authorization prompt, and silent reconfiguration of a security setting without authorization? I cannot fathom why DropBox thinks this is a good idea.

Dropbox has always been doing been forcing users to give it admin permissions for non-necessary reasons. I posted about this on the Dropbox forums back in 2009:<p><a href="http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20120127192749&#x2F;http:&#x2F;&#x2F;forums.dropbox.com&#x2F;topic.php?id=14994" rel="nofollow">http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20120127192749&#x2F;http:&#x2F;&#x2F;forums.drop...</a><p>Seven years later and they&#x27;re still at it? I doubt this article will make them change.<p>I noted that, curiously, if I denied it admin permissions, Dropbox would still work. I know for fact that it I never granted admin permissions because I did not have my own computer back then, and I was using Dropbox just fine.<p>What really baffles me is why they don&#x27;t give users a choice of whether to make their system less secure when their product clearly works without those extra permissions.

I installed Dropbox, fully knowing that it embedded itself into the OS. But I assumed that it was using a proper API to do so.<p>I need to rethink that soon. If macOS Sierra&#x27;s (to be released next week?) similar replication features work properly, doesn&#x27;t Dropbox become expendable for customers playing exclusively within Apple&#x27;s ecosystem?

Yikes!:<p><pre><code> $ ls -l &#x2F;Library&#x2F;DropboxHelperTools&#x2F; total 1492 -r-s--x--x 1 root wheel 1523840 31 Aug 18:22 DropboxHelperInstaller* drwxr-xr-x 12 root wheel 408 31 Aug 18:22 Dropbox_u501&#x2F;</code></pre>

I totally missed this post - but having read it am pretty shocked. Is that really what the app is doing? Storing the admin password so that it can override your OS settings?<p>Not happy about that at all...<p>What are the implications of not giving it your admin password?

Whoever made this decision probably doesn&#x27;t realize how people like us tend to steer a lot of the decisions that drive Dropbox usage. I&#x27;ve had to ask 5 companies to install Dropbox this year. And I was already thinking to myself -- why Dropbox? Because it&#x27;s popular? Now I&#x27;m going to be looking seriously at Box instead.

That is pretty sleazy. Here the author provides instructions on how to remove this:<p><a href="http:&#x2F;&#x2F;applehelpwriter.com&#x2F;2016&#x2F;07&#x2F;28&#x2F;revealing-dropboxs-dirty-little-security-hack&#x2F;#comment-27348" rel="nofollow">http:&#x2F;&#x2F;applehelpwriter.com&#x2F;2016&#x2F;07&#x2F;28&#x2F;revealing-dropboxs-dir...</a>

BTW there actually is a legit case when DB would need your admin permissions: so you can save files with different ownership (or suid files) in your DB.<p>But they could handle this by asking for permission when they need to read&#x2F;write those files.<p>None of this excuses them: since they use an underhanded dialog box I don&#x27;t trust them at all. Unfortunately.

Dropbox does this because it uses the accessibility features of the OS in order to implement the Dropbox Badge [1] &#x2F; Project Harmony.<p>[1] <a href="https:&#x2F;&#x2F;www.dropbox.com&#x2F;help&#x2F;7672" rel="nofollow">https:&#x2F;&#x2F;www.dropbox.com&#x2F;help&#x2F;7672</a>

Now I have to wonder if this sort of nonsense goes on with their Windows and mobile (iOS&#x2F;Android) implementations. Or are those OSes too different from how OSX works to be comparable?

Do anybody know <i>why</i> they are doing this? It seems like a lot of effort to go through, for no apparent reason.

tl;dr: When dropbox asks for your admin password it stores it in it&#x27;s own cache to keep having access and perform admin-level tasks.<p>It&#x27;s not a hack, it&#x27;s you giving away your credentials on a screen that&#x27;s designed to look like a system password prompt.<p>A Dark UI pattern at most, and a security leak whenever someone hacks the dropbox auth storage. Not a hack, just clickbait.