Can you trust your private photos to Dropbox?

by Murat on October 11th, 2012

For automatically syncing files across your different computers and gadgets, Dropbox is one of the most popular cloud services on the net. But just how safe is it to store your private files on Dropbox?

Chronicle of Dropbox failures.

April 7 – In his blog (, researcher Derek Newton had a few things to say about Dropbox authorization. Mr Newton tells us that Dropbox stores all the authentication information in the config.db file, one of several SQLite database files located at %APPDATA%\Dropbox . Among many other fields, the most one we are interested in is host_id, which, after being defined by the client after the first authorization, does not change. The catch is that the config.db file is not tied to the system in any way. So, by accessing the user’s Config.db file and copying it into another system, a potential attacker can easily gain access to data on the user’s Dropbox account. And the user is not notified! Moreover, the host_id remains valid even if the user ID and password are changed. The only way to remedy the situation is to go to the Dropbox web interface and remove the host_id from the list of linked devices.

April 19 – Dropbox changes the user agreement announcing that, if necessary, it will decrypt users’ files and make them available for investigation under US law.

April 26 – GitHub launches Dropship (, an open source project that allows account holders to get instant access to any file that is available in the Dropbox cloud. All they need to know is the file’s hash. Dropbox’s CTO is not happy about this and immediately contacts Dropship’s creator, Vladimir van der Laan, and politely asks him to remove the project. The program’s user community responds by creating numerous mirrors on Github and on Dropbox itself. They too receive a request from a Dropbox representative to remove project files immediately.

June 19 – the service is updated but the new release has a seriously vulnerable authorization system.

As a result, any user is able to access other users’ accounts without the need for a password. Dropbox defend themselves by claiming that during the time it took to fix the vulnerability, less than 1% of all users were logged in.

By the way, you may be interested to know that German programmers have released a program called BoxCryptor which allows you to encrypt your Dropbox files for an extra level of security.