Are Dropbox files stored really private? Not with Dropbox Reader

Dropbox is one of the biggest cloud storage service that people around the web use for storing their important files. Dropbox provide both free and paid versions of its product. I am one of those guys who avoids putting my sensitive files on the cloud regardless of whatever security and encryption they boast to provide. The reason, I believe that files stored on the cloud are open to being hacked or being peeped upon by govt agencies or vulnerable o some attacks due to drawbacks in the security of cloud storage service if detected by bad guys.

One of forensic computer security firm ATC-NY has released a free tool called “Dropbox Reader” which helps investigators read “evidence files” associated with Dropbox cloud storage accounts.

Dropbox Reader is a suite of command-line tools for parsing configuration and cache files associated with the Dropbox cloud storage software. These tools can run on Windows, Macintosh, and Linux systems.

Dropbox Reader consists of six Python scripts:

  • read_config script outputs the contents of the Dropbox config.db file in human-readable form. This includes the user’s registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files.
  • read_filecache_config script outputs configuration information from the Dropbox filecache.db file. This includes information about shared directories that are attached to the user’s Dropbox account.
  • read_filejournal script outputs information about Dropbox synchronized files stored in the filecache.db file. This includes local and server-side metadata and a list of block hashes for each Dropbox-synchronized file.
  • read_sigstore script outputs information from the Dropbox sigstore.db file, which is an additional source of block hashes.
  • hash_blocks script produces a block hash list for any file. This block hash list can be compared to the block hashes from read_filejournal or read_sigstore.
  • dropbox_contains_file script hashes one or more files (as per hash_blocks) and compares the resulting block hash list to the files listed in filecache.db (as per read_filejournal) and reports whether the files are partially or exactly the same as any Dropbox-synchronized files.

As you can see from the above mentioned description of Dropbox reader scripts, it can reveal user’s registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files, shared directories attached to the user’s Dropbox account, local and server-side metadata and a list of block hashes for each Dropbox-synchronized file and much more.

Even though it looks like that it still needs a local access to your Dropbox config files, but its bad for a average user who thinks everything is encrypted but is vulnerable if he is on a open WiFi Network on even a LAN.

Also, the Dropbox TOS includes the following clause which clearly states that if required they will provide access to govt agencies if they are required to do so legally.

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

Just look at the portion of the clause (I have made it BOLD) which states that it will remove the encryption from the files before providing those private files to law enforcement agencies. Are you comfortable with this clause? Hopefully you are not. At least I am not comfortable storing my files on a cloud service which puts this clause with the terms of their service.

Even though the clause above can be found in many of the web services but we don’t store our private files there. Here, it just tells you to think before you start storing your private files on the cloud.

What do you think about this? Do you store your private files on Dropbox or cloud or you just store files which are not private?

2 comments… add one

  • Grr

    Thanks a lot Avi.
    A real eye opener for those relying on cloud storage…go & get an Ext HDD..

    as for me: Just store files which are not private…..

    Thanks Grr

  • j kamau

    I love going through your blog. Using your comments I am able to use my laptop safely. I also learn about use of applications more efficiently without overloading my hard disk.
    Is DAP Premium still on offer. I would appreciate free key from you.
    Regards
    J Kamau

Leave a Comment