Dropbox WTF

Is Dropbox behaving badly on your Mac?

Posted by Mike Apted on Friday, September 9, 2016

This is a somewhat complex issue but the TL;DR here seems to be:

Dropbox is using deceptive and ethically questionable means of obtaining broad permissions on your Mac without being clear to you why they need them and what they are doing with them.

That is certainly worthy of a closer look and some consideration of how that makes you feel re: using their products.

I first saw this referenced today by @bitfield and the main issues here are that:

  • a documented method of obtaining the permissions they are helping themselves to exist (they chose not to use this)
  • they ask for admin creds with the vague premise they are required for the app to work at all (this is clearly not the case for all, perhaps most, users)
  • if you attempt to remove the permissions they silently re-add them with no explanation as to why they need them (!?)
  • this allows the app complete control over your machine, including up the level simulating manual GUI inputs (!?!?)

The gory details are documented over at applehelpwriter.com in these posts:

  • revealing Dropbox’s dirty little security hack
  • discovering how Dropbox hacks your mac

Dropbox’s defense of the practice is here and doesn’t address any specific reasons as to why this is necessary for all users.

In short they make a request for your admin password, in a dialog box designed to look like a system dialog box (that is not) and then use that to help themselves to a set of long term permissions it is not clear they require for most, if any, users.

There was some confusion initially as to whether they were actually caching your admin password somewhere (it appears they are not), but even discovering the extraneous permissons and revoking them does no good as they simply re-help themselves.

If you would like to disable these seemingly unneeded (or at least very edge case needs) permissions you can follow the steps here but it boils down to:

  1. Quit the Dropbox app in the status bar.
  2. Delete /Library/DropboxHelperTools folder.
  3. Uncheck Dropbox from Accessibility in System Preferences -> Security & Privacy.
  4. Log out and log back in to your mac user account.
  5. When prompted by Dropbox to enter your admin credentials click Cancel.

The Dropbox app in my testing, and that of others, seems to run just fine without allowing this access. Your milage may vary. It will ask you every single time the app launches so remember to be vigilant about where you are throwing around your admin creds.

You can confirm that the removal was successful by rechecking the Accessibility pane in System Preferences -> Security & Privacy to ensure Dropbox.app remains unchecked, and that the /Library/DropboxHelperTools does not exist.

Whether this is a violation of your trust that warrants more extreme action, or you could care less as long as the software works, is up to you to decide. It certainly seems prudent to disable this sweeping access to your machine if it does not impact Dropbox’s ability to function in your use case.

This is exactly the type of vector that gets targeted in malware, ransomware, etc.. Why target the primary OS when you can target an app that the user has given unlimited power to?

Caveat emptor.