Jump to content

Another reason Dropbox is insecure


Pwnd2Pwnr
 Share

Recommended Posts

Well, I have worked out MY own kinks in the dhcp world (two cups of coffee and 4 ibuprofen later).

I have never really had too much trust with dropbox; so I don't keep anything in it worth while; but I did find something peculiar; I think Digip has already pointed out that dropbox is easily hacked. I have my fake ap up and running; along with my wireshark and airodump.

Going through the packets; I discovered a local packet which was sent out via mon0 (that is what I was sharking) and found 4 packets...

no 496 time 18.461144 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 195 info dropbox

no 497 time 18.461551 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 196 info dropbox

no 1368 time 48.796771 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 195 info dropbox

no 1369 time 48.497555 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 196 info dropbox

So, this is within my local address; and I do have an active dropbox sync folder. Is this insecurity widely known about? I do believe it has all of the data I need to access my account... but that is why I ask. Any thoughts?

Edited by Pwnd2Pwnr
Link to comment
Share on other sites

DropBox is horrible for security, I agree. It's been an issue for me already because my supervisor snoops on my work comp over the LAN and I had installed a 1TB DropBox for both of us on my dime, which keeps accidentally downloading new stuff in the home dir even w/ Selective Sync. FML.

It's f-ing addictive for me though b/c the space seems cheap. I can't get that good of a price on VPS/DPS space. I use SpiderOak too, but it's too expensive for my 2-3TB needs.

Link to comment
Share on other sites

10.0.0.255 is a broadcast address(depending on you subnet mask). What device on your network owns 10.0.0.254?

I assume drop box is syncing data possibly or checking for changes maybe and calling home and there are other packets showing the external Drop Box servers IP somewhere as well?

I don't think that list of data is anything to be scared of, or somehow gives anyone insight or access to your home machine or such. Curious what you think the security flaw is in the data you posted though. Other than now telling us you use a 10.x.x.x home network, we knew nothing about your local lan IP range, but other than wireshark showing Drop Box traffic of some kind, what is the security flaw?

From what I recall the hacks were web based to reach the end machines from the web side of shared file links, not publicly given to others, which enabled anyone to see the files you had stored in your drop box, so say you had work data stored in your drop box you wanted to reach from your home machine or vice versa, and it was unencrypted, and someone gained access to the drop box, that unencrypted data is now in the public domain when it maybe wasn't meant to be shared with others. Thats one of the flaws that I recall originally that lead to wide spread data leaks by people were using it to share company files, corporate private data, etc.

The first one I believe used CSRF to hit people who were logged onto both drop box and gmail, which caused them to submit data to sites on behalf of the attacker. The second was simply reuse of the same password in multiple places, hacked email and password, leads to other hacked accounts if reused.

older vuln ->

More recent issues -> http://www.informati...iness/240005413

http://security.stackexchange.com/questions/5358/dropbox-vulnerability-details

Edited by digip
Link to comment
Share on other sites

I was asking if the protocol itself was safe... and by the looks of it it is... I thought that was being transmitted during my softAP... I assumed it was sent out VIA Alfa... but I can now see what you mean. I deleted my dropbox folder and stopped the sync.

Thanks (again, and again for any future insight), you guys... I just don't like the synchronization protocol popping up when I am looking at broadcast signals from mon0...

Link to comment
Share on other sites

An interesting take on Cloud services like Dropbox though, and why, if anything should happen like a seizure of Drop box servers, none of your data on there, or any site, server, cloud storage data center, is really safe, sans encryption before uploading - http://guardedrisk.com/security/cloud-data-yours-or-not/

Link to comment
Share on other sites

  • 1 month later...

so, dropbox is apparently insecure. Who in their right mind would store un-encrypted data on a public service such as dropbox anyway. There's probably a way to program the dropbox to reach for its data outside the network where its actually stored, after its been encrypted by a app like truecrypt. Its hard to believe that it would reveal info to a packet sniffer. I guess they dont pay their developers enough to encrypt and obfuscate network traffic.

Link to comment
Share on other sites

I would steal candy from a criminal to know what you know, Digip... lol

Well, it takes time, lots of reading, researching and talking to people to get to the level of where he is now. Not to forget, dedication and patience too.

But I would do that same too, steal candy from a criminal.

Link to comment
Share on other sites

Problem with Dropbox is, most often once you know the root file system of someone site, say they share an image or file, you can often google dork for the rest of the files from their Dropbox share if the links have every passed through google or any of their services,including people using older versions of Chrome, which, pretty much tracks everything you did.

http://bit.ly/10aqtOg

Edited by digip
Link to comment
Share on other sites

I've stopped using Dropbox services for a very long time. From now on, I've decided to run my own web-server and mail server from home. You can call me paranoid, but I am very much concerned about my personal information privacy and security integrity.

Why should I trust a third party service provider to handle it for me, when I can very well do it myself?

Link to comment
Share on other sites

Problem with Dropbox is, most often once you know the root file system of someone site, say they share an image or file, you can often google dork for the rest of the files from their Dropbox share if the links have every passed through google or any of their services,including people using older versions of Chrome, which, pretty much tracks everything you did.

http://bit.ly/10aqtOg

Wow! Chicks actually keep nude photos of themselves in dropbox!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...