![]() ![]() “Clearly we need to do a better job communicating about Dropbox’s OS integration. We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that,” Dropbox’s Ben Newhouse, from its desktop client team, told TechCrunch. Dropbox App For Mac DesktopĬoncerns about Dropbox’s desktop client circulated on Hacker News and Twitter today, after two recentposts on an Apple help blog detailed what the writer dubbed OS X security “hacks” by Dropbox. In one of the AppleHelpWriter posts Dropbox is described as “using a sql attack on the tcc database to circumvent Apple’s authorization policy.”Īnd while allegations that Dropbox was creating a spoof dialogue box to phish users’ passwords proved to be incorrect, critics continued to slate its implementation of an official OS X security dialogue box that they said appeared designed to mislead users into handing over their admin passwords in order to grant Dropbox root access to the system via the Mac’s Accessibility permissions list. “We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions).” To clarify: It is a legitimate OS X dialog with misleading text + they hack around the OS security for accessibility Īddressing criticisms about the scope of the permissions the client requires, Newhouse said: “We only ask for privileges we actively use - but unfortunately some of the permissions aren’t as granular as we would like. “We use elevated access for where the built-in FS APIs come up short. ![]() We’ve been working with Apple to eliminate this dependency and we should have what we need soon,” he added. Newhouse also asserted that Dropbox is not viewing or storing Mac users’ admin passwords. “We never see or store your admin password. The dialog box you see is a native OS X API (i.e. The intent was never to frustrate people or override their choices.” made by Apple),” he said.Īs to why Dropbox needs admin privileges in the first place, he said: “We check and set privileges on startup - the intent was to make sure Dropbox is functioning properly, works across OS updates, etc. It’s also using the permissions users grant via the OS dialog to edit a SQLite configuration file to put itself on the Accessibility list - although it’s certainly not making it plain that’s what users are granting when they respond to the prompt for their admin password. We’ll do a better job here and we’re sorry for any anger, frustration or confusion we’ve caused,” he added. However, the company’s justification for utilizing root access to put itself on the Accessibility list in order to gain system-wide, elevated privileges did little to impress some critics. Responding to Newhouse’s statement one Hacker News commenter, riobard, wrote: “At this point you need to follow up with convincing technical details of why Dropbox needs the circumvention to counter the accusation and rebuild the damaged trust. “The reason for needing Accessibility API listed in your response is pretty vague, especially for those Mac users not having Microsoft products tainting their systems. I’ve deleted Dropbox from my Mac for now. I’m not installing it back till there’s reasonable explanation and remedies.”Īnother Hacker News commenter, kybernetyk, called out Newhouse’s phrasing about “granular permissions” as a “nice euphemism for ‘catch all’ permissions…. ![]() “Now a malware can target your scripts and get a free ride to all your system yay,” added partycoder, another Hacker News user. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |