Sep 21, 2016

Dropbox make it right

I was wrote about Dropbox highjacking Mac OS security. This seems finally changed. After upgrade to Mac OS Sierra I've noticed that Dropbox asking me permission to Accessibility via standard system dialog.
Next I went to Dropbox settings and changed Dropbox badge option to Never Show.
Restarted Dropbox app and voila! Dropbox have no accessibility access and not asking for this anymore!

Sadly it was not good will of Dropbox that is dictated this change. It's reported that Apple closed breach in security, so Dropbox hack is just impossible on macOS Sierra.

Sep 9, 2016

Dropbox highjacked your Mac security

If you're using Dropbox on Mac OS you might be surprised that Dropbox has permission to control your computer, even it's never asking permission for doing so. Even if you uncheck or remove Dropbox from Accessibility list it will reappear on next log in to computer or next start of Dropbox app. There is good articles at on what is exact issue revealing Dropbox’s dirty little security hack and on how Dropbox do that discovering how Dropbox hacks your mac.

As for me, I'll show you how to prevent of Dropbox to highjacking Mac OS security. What we need is to remove access to execute exploit and prevent Dropbox to revert that changes.

1. Open Terminal app. Change current directory to Dropbox exploit dir. Dropbox version might be different on your computer, just choose latest if there is more than one.
cd /Library/DropboxHelperTools/Dropbox_u502
Remove executable and set-user-id bits from exploit binary. System will prompt you for admin password.
sudo chmod -sx dbaccessperm
Lock changes for exploit binary.
sudo chflags uchg dbaccessperm

2. Now uncheck permission for Dropbox in System Preferences - Security & Privacy - Privacy. You will need to Click the lock at left bottom to make changes on this page. That's it. Permissions for Dropbox will not reappear after Mac restart. Most important, there is no dialogs on every OS reboot.

You might think that more easy to just remove exploit binary but this not the case, if binary removed, Dropbox will recreate it on next start and override permissions.

If you not sure will Dropbox correctly work without controlling your computer, there is explanation why accessibility used by Dropbox app - "We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions)." link. Personally I'm not using office integration and not see any problem in Dropbox functionality since I've disabled accessibility access for Dropbox.