After some testing (modification of data within the config table, etc) it became clear that the Dropbox client uses only the host_id to authenticate. Here’s the problem: the config.db file is completely portable and is *not* tied to the system in any way. This means that if you gain access to a person’s config.db file (or just the host_id), you gain complete access to the person’s Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).
Searching a little bit more informations on the described attack I came across to an early attack implementation (by Moloch) available through dropbox too … (ha ha ha).
- Find a victim machine running Dropbox, insert your USB drive
- Run dbClone.exe, data will be saved in a .txt file
- On your own computer install the dropbox client and run “dbClone.exe -i”
- Paste in the ‘hostid’ from the .txt file into the ‘hostid’ prompt, enter /any/ email
- Start up the Dropbox client, and sync all the files!!!