Dropbox has responded to security concerns regarding one of its new technology’s abilities to obtain kernel access.
Back in April, the secure file sharing and storage service announced “Project Infinite,” an initiative which will help revolutionize the way Dropbox interfaces with a user’s computer.
Dropbox software engineer Damien Deville provides more information in a blog post.
Dropbox currently overlays a green check icon on all files that are available locally. Project Infinite will add a cloud icon as a second overlay that indicates a file is available online but not yet locally. Users can therefore download that file and interact with it as they would any other file.
To view a video of how this new initiative works, please click here.
Dropbox designed Project Infinite to grant users access to all of their saved files regardless of how much space they have available locally on their hard drives.
While this explanation might appeal to end users, Sam Bowne, who teaches Ethical Hacking at City College San Francisco, is worried about the level of access the new initiative would require. Per Bowne’s conversation with Motherboard:
“By moving from userland to kernel-land, Dropbox will take on a large responsibility. The way Dropbox works now, it’s like a vendor setting up a cart outside your home selling hot dogs. But they are now proposing to copy the keys to your house, move in, and live with you.”
Bowne and other security experts are worried that if flaws existed in Project Initiative, attackers could use those vulnerabilities to escalate their access and assume control of a user’s computer.
@iblametom @josephfcox disgustingly insecure software with highest possible privileges examining all your files? Seems safe.
— Bobby 'Tables (@info_dox) May 25, 2016
In light of these concerns, Deville has released the following update from Dropbox:
Dropbox is currently in the process of testing Project Infinite. It intends to roll out the initiative to a broader set of users soon.
News of this announcement comes two years after the file-sharing service confirmed the existence of a vulnerability that allowed sensitive files associated with shared links to be exposed and turn up in search engine results on Google.