How Dropbox Hacks Your Mac

[Kadin]

It's a good thing Dropbox isn't doing that, then.

[tigershark]

Then please explain how it manages to set the accessibility privilege at every login after the user explicitly revokes it. I can see only two options:

1) the Dropbox client stores the password and uses it to hack the accesses db at every login.

2) the Dropbox client runs as root and does the same thing.

Both options are simply terrible from a security point of view

[johncolanduoni]

Not sure if this is how they do it, but OS X has another option (which is in fact recommended by Apple for all tasks needing elevated permissions): installation of a privileged helper tool.[1] The helper tool communicates with the main app via IPC, ideally such that the only things the app can ask are precisely the things it's supposed to do (e.g. the helper will only sneak in accessibility for the dropbox app, and nobody else). The helper tool removes a lot of the surface area for security holes, assuming the IPC protocol is well written (not something like "here's this string, run it as a shell command with root privileges).

[1]: https://developer.apple.com/library/mac/documentation/Securi...

[danieldk]

3) Dropbox installs some helper programs with the SUID bit set.

And this is what they actually do.

    % ls -l /Library/DropboxHelperTools/Dropbox_u501
    total 256
    -r-s--x--x  1 root  wheel    9632 Sep  8 20:10 dbaccessperm
    -r-s--x--x  1 root  wheel  116668 Sep  8 20:10 dbfseventsd

(Note the SUID bit and the root owner, meaning that these binaries will run with the root UID when started by a normal user.)