Dropbox has denied accusations that its Mac client is stealing passwords.
Developer Phil Stokes has accused the cloud locker company of sucking up administrator passwords on machines in a bid to reduce the number of permission prompts.
Stokes says in analysis that Dropbox's Mac client abused the system preferences’ accessibility list to phish users for their passwords.
"In short, what that hack suggests is that you modify tcc directly by inserting an entry into the sql database located here /Library/Application Support/com.apple.TCC/TCC.db," Stokes says.
He found three binaries installed in a Dropbox folder, rather than the standard PrivilegedHelperTools directory, saying the string output for the dbaccessperm binary file was "gold" and "proof" Dropbox was using a SQL attack on the tcc database to circumvent Apple’s authorisation policy.
Dropbox desktop developer Ben Newhouse moved to hose down the claims some developers suggested was less conspiracy and more bad practice, conceding that the company needs to better communicate its use of permissions and adding it never stores administrator passwords.
"Clearly we need to do a better job communicating about Dropbox’s OS integration," Newhouse says .
"We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that.
"We only ask for privileges we actively use, but unfortunately some of the permissions aren’t as granular as we would like."
Newhouse says accessibility APIs are used for Dropbox Office and Windows integration, and elevated access for where filesystem APIs are too limited.
"We’ve been working with Apple to eliminate this dependency and we should have what we need soon," he says.
"We’re all jumping on this. We’ll do a better job here and we’re sorry for any anger, frustration or confusion we’ve caused." ®