Dropbox on macOS uses malware tricks to get privileges that it doesn't need

If you have Dropbox installed, check → → .

TL; DR: Dropbox

• Shows macOS fake system window to get user password
• Adds itself to privileged processes without permission for everyone.
• Puts backdoor in the system to restore permissions if they are explicitly selected.
• These permissions do not really use <irony />

Notice anything unusual in this picture? Ever wondered how it got here? Thought - maybe you added it yourself when Dropbox asked permission to control a computer?

No, your memory does not fail you. You do not remember how you allowed it, because Dropbox never showed you a dialog asking for permission — like this:

This is the only officially allowed opportunity to get on this list - but Dropbox never asked you for permission. Later I will tell you why this is important, but now do an amazing experiment: try deleting it.

“Easy!” You say. The way everyone knows: click «» , select the line from Dropbox, delete it with the "-" button. And now, look: it is no more, right?

Wrong . He has a bad habit of coming back every time. Try to re-enter the system (or restart the program), and Dropbox will add itself again to the list of allowed applications and a check mark in front of it will be installed. This is real magic!

If you don't want to try, see how I try to disable this feature in Dropbox:

Two questions arise here:

• Why is it important?
• Is it possible to somehow remove this check mark, but continue to use Dropbox?

Why is it important?

This is important for at least three reasons:

First , and most important: because Dropbox did not even ask permission to control your computer. “Managing a computer” in macOS means pressing buttons, menu items, launching programs, deleting files ... This is a security risk, and therefore programs should require entering a password and explicit permission to enter that list.

But, for example, you trust Dropbox, and consider that they are a big company that does not want to upset its users and will not do things that are not worthy of their honest name?

If you reason like this, you make two mistakes:

• The larger the company, the less it suffers from frustrated users. It's simple: if 1000 people read this article and stop using the service (by Habré, there were 200 people) , by and large, nothing will change. It is foolish to assume that a large company will not send you to hell from the fact that it is afraid of losing all customers and business. Even more stupid - if you remember that you have them at a free rate. ( Below is a detailed analysis of why large companies rarely think about the ethics of their actions).

  
  
• More importantly, you already have serious evidence that Dropbox cannot be trusted: it has just gained control of the system, bypassing macOS protection, and without asking you. In addition, as you saw in that amazing experiment, even when you clearly take control away from him, he ignores your decision and restores it. How he does it - we will soon find out. (There are other good reasons to disbelieve Dropbox - for example, this one is approx. Lane.)

There is a second problem with this Dropbox trick.

Imagine for a moment that the developers do not want evil and do not want to do anything bad to you. But, nevertheless, the Dropbox process has the possibility of this. This means that an attacker can find an error in the Dropbox code and use it to take control of your computer. For now this is only a potential threat; but, like all threats, it will become real as soon as some attacker uses it.

The whole point of the OS security system — and the main task of the macOS permissions system — is that the program should not have more authority than it needs to complete the task . Dropbox either stores the administrator password explicitly (this is very bad), or starts its process with superuser privileges (no less bad) - otherwise it would have to ask the password every time you remove it from the allowed ones.

In my opinion, this measure is not only secretive (since I did not give explicit permission for such), but also excessive.

And this is the third problem: Dropbox does not need superuser rights or access to the Accesibility API for normal operation. (As suggested in the comments to the original article ^(English) , Dropbox thus wants to know when you take a screenshot; but the Habr commentators confirm that the publication of the pictures works - apparently in a civilized way, via FSEvents - approx. Lane).

I spent a long test to make sure it worked, using it on 3 Macs and iPhone for 10 months, and did not find any problems. I could not check all the features of the service - I used Dropbox in the usual way on a regular OS X. I repeat: there were no problems, and even if they had arisen, then Dropbox would have to ask for additional permissions - like all other programs - and respect my decision if i take that permission away.

In addition, I reported my findings to Apple Product Security, and waited to see if they could force developers to change the program's behavior (so far to no avail)

Then we have only one question left:

How to disable all this, but save Dropbox.app?

(Comments indicate that deleting Dropbox in the usual way does not remove the backdoor - approx. Lane.)

• Stop Dropbox (Dropbox icon in menu bar → context menu → «» → Dropbox )
• Delete the directory /Library/DropboxHelperTools
• Remove Dropbox from →
• Log out and log back in.
• Launch Dropbox and see this window:

As we’ve already figured out, this dialog box is lying (still believe a big serious company?) When it says that Dropbox will not function correctly; but the main deception is that this is not the window that should be shown by a program that wants access to the Accessibility API . In fact, even with a user password, it should not be allowed in . It seems that the guys from Dropbox are paid a salary for inventing hacks for macOS.

And here is a small snag: if you don’t give your program your password, it won’t get into and will work without it - as well as before. But every time it starts, it will again and again require your password.

Now you will need to look at who asks for a password, and not give it to any program. Of course, you shouldn’t do that without my advice - but this dialog box looks almost like a real system window of macOS itself - and, perhaps, has already taught you to write everything you ask for.

This request is unpleasant every time, but not as unpleasant as the program that hacked your Mac.

Additions

• Second article: A detailed analysis of the technology that Dropbox uses to deploy to the system: Discovering How Dropbox Hack's Your Mac ^(eng.)
• The answer is an apology from the developers in the comments ^(eng.) To the second article. It comes down to phrases: "Well, you noticed it, now you have to remove it" and "We are not villains, we just have a bad code." They also say that the window is a real system, not a fake.