I installed Dropbox, fully knowing that it embedded itself into the OS. But I assumed that it was using a proper API to do so.
I need to rethink that soon. If macOS Sierra's (to be released next week?) similar replication features work properly, doesn't Dropbox become expendable for customers playing exclusively within Apple's ecosystem?
Seems it would be expendable in that use case, but "work properly" seems to be the catch. On MacBreak Weekly this week, Adam Engst was recommending listeners immediately disable that feature when Sierra launches, as he's been finding it buggy & running into data loss situations.
Wow, this is really impressively brazen. A faked authorization prompt, and silent reconfiguration of a security setting without authorization? I cannot fathom why DropBox thinks this is a good idea.
Wow, this is really bad. There is no need for it as Apple has an API for finding out which files have changed. I assume they do this simply to animate the little icon in the Finder (since I don't think anyone else does anything like it, and it was a famous question by Jobs to the DB founders). Although the author's follow on article suggest it's just for future use!
I guess that's it for Dropbox for me. Though as the author says, they're not going to care.
Fortunately their service is now a commodity (as Jobs told them when they demoed for him, they are simply a feature). I have always preferred Drobox just because it seemed the simplest (and they supported Linux). But switching just takes a short time to copy my files to one of their competitors.
I prepaid for a year's Dropbox service. I wonder how much luck I will have getting a refund on the unused amount.
I wonder why they chose to gratuitously be assholes?
I totally missed this post - but having read it am pretty shocked. Is that really what the app is doing? Storing the admin password so that it can override your OS settings?
Not happy about that at all...
What are the implications of not giving it your admin password?
Yeah I didn't think that there was a definitive answer in the article, kind of says that dropbox will just keep asking for it on boot. I was asking to see if anyone knew what APIs dropbox might be hooking into, but @szhu in a post above has kind of confirmed that nothing really happens. I took a look at this 2009 post. Interesting.
Looks like it doesn't retain the password, it just uses it to grant itself access to a config database which it can then modify at will later. Not that that is much better since accessibility permissions are kind of the keys to the kingdom and being able to modify the contents of that database is a highly restricted operation for a reason.
Dropbox has always been doing been forcing users to give it admin permissions for non-necessary reasons. I posted about this on the Dropbox forums back in 2009:
Seven years later and they're still at it? I doubt this article will make them change.
I noted that, curiously, if I denied it admin permissions, Dropbox would still work. I know for fact that it I never granted admin permissions because I did not have my own computer back then, and I was using Dropbox just fine.
What really baffles me is why they don't give users a choice of whether to make their system less secure when their product clearly works without those extra permissions.
Whoever made this decision probably doesn't realize how people like us tend to steer a lot of the decisions that drive Dropbox usage. I've had to ask 5 companies to install Dropbox this year. And I was already thinking to myself -- why Dropbox? Because it's popular? Now I'm going to be looking seriously at Box instead.
Now I have to wonder if this sort of nonsense goes on with their Windows and mobile (iOS/Android) implementations. Or are those OSes too different from how OSX works to be comparable?
BTW there actually is a legit case when DB would need your admin permissions: so you can save files with different ownership (or suid files) in your DB.
But they could handle this by asking for permission when they need to read/write those files.
None of this excuses them: since they use an underhanded dialog box I don't trust them at all. Unfortunately.
26 comments
[ 3.6 ms ] story [ 60.8 ms ] threadI need to rethink that soon. If macOS Sierra's (to be released next week?) similar replication features work properly, doesn't Dropbox become expendable for customers playing exclusively within Apple's ecosystem?
It's not a hack, it's you giving away your credentials on a screen that's designed to look like a system password prompt.
A Dark UI pattern at most, and a security leak whenever someone hacks the dropbox auth storage. Not a hack, just clickbait.
>The general function of social hacking is to gain access to restricted information or to a physical space without proper permission.
I guess that's it for Dropbox for me. Though as the author says, they're not going to care.
Fortunately their service is now a commodity (as Jobs told them when they demoed for him, they are simply a feature). I have always preferred Drobox just because it seemed the simplest (and they supported Linux). But switching just takes a short time to copy my files to one of their competitors.
I prepaid for a year's Dropbox service. I wonder how much luck I will have getting a refund on the unused amount.
I wonder why they chose to gratuitously be assholes?
I guess with this, it's time to switch over for good.
Not happy about that at all...
What are the implications of not giving it your admin password?
pretty disappointing really.
http://web.archive.org/web/20120127192749/http://forums.drop...
Seven years later and they're still at it? I doubt this article will make them change.
I noted that, curiously, if I denied it admin permissions, Dropbox would still work. I know for fact that it I never granted admin permissions because I did not have my own computer back then, and I was using Dropbox just fine.
What really baffles me is why they don't give users a choice of whether to make their system less secure when their product clearly works without those extra permissions.
[1] https://www.dropbox.com/help/7672
http://applehelpwriter.com/2016/07/28/revealing-dropboxs-dir...
[1] https://www.dropbox.com/help/7672
But they could handle this by asking for permission when they need to read/write those files.
None of this excuses them: since they use an underhanded dialog box I don't trust them at all. Unfortunately.