Is Dropbox really so unsafe?

Recently a blog post by Derek Newton drew my attention like a magnet. Derek claims that the authentication of Dropbox is insecure by design as all the data is stored in a SQLite database file and you could simply hijack anothers Dropbox account by simply moving this database file to ones own computer. This news are indeed disturbing. As Derek only checked the Windows version I wanted to know if this problem exists crossplatform (ie. on my Mac).

Unlike the windows version, Dropbox stores its application information in a hidden folder in the users home directory. The name of this folder is, not surprisingly .dropbox. Within this folder you find a number of files that Dropbox uses to manage the syncing of the files. It appears that the guy which is responsible for the Mac version had more idea about sqlite than the Windows guy, as he combined various tables in the same database (and not in several database files like in the Windows version). Also the names of the database-files (or tables in the Mac version) differ. Their internal stucture is different, as the Windows guy used SQLite simply as key/value storage whereas the Mac guy knew that you can have several columns in a database (anyway it is always horrible to see how many programmers have absolutely no idea about relational databases…).

This means that it appears not so trivial to get access to other Dropbox accounts by simply moving database files around. At least you would have to make modifications to the data, which means that it would discourage many wannabe hackers as this involves some knowledge.

So Derek’s initial fear that you can simply move the database files around is not 100 % true as you cannot hijack the dropbox account of a Mac-user and move it to Windows and vice versa without some modifications. I bet the Linux implementation is different too.

In my opinion there are easier ways to attain a persons username and password than stealing an SQLite database. And if you are willingly store your personal data on a cloud service you shouldn’t be concerned about security issues at all. You already gave up security for the sake of  using cool Web 2.0 stuff.