There are developments, but nothing I am even willing to hint at just yet. At this point, there is nothing that I’m in a position to say beyond what we’ve said earlier in “ Dropbox Terms“. Alternatives to DropboxĮvery time there is a security issue with Dropbox, people rightfully suggest that we offer alternative syncing mechanisms. After that you will need to relink the computer or device to your Dropbox account using your Dropbox username and password. If you suspect that an OAuth token has been stolen, you can unlink the computer or device. To manage your Dropbox devices, log in to your Dropbox account with a web browser, and under your account name, go to Settings and then “My Computers”. However, if other apps that use Dropbox have the same problem (and it looks pretty common), then OAuth tokens can be copied from those apps as well. In 1Password 3.6.5, which we submitted to Apple at the beginning of the week, we store OAuth tokens securely in the iOS keychain, where they are properly encrypted and cannot be copied to other devices. Of course, any 1Password data that an attacker fetches from your Dropbox account is still encrypted by 1Password. These tokens allow quick connection to Dropbox (Facebook and other services also use OAuth). We have been extremely careful in how we store your Dropbox username and password for automatic syncing, but like many others, we didn’t take the appropriate precautions when it came to OAuth tokens. In any case it is important to protect your iPhone, iPad, or iPod Touch protected with a good passcode. It appears that if the device has previously been synced with the computer the passcode isn’t required. It is not entirely clear at the moment under what circumstances an attacker will also need the device passcode. We can’t predict how long Apple’s approval process will take, but the update should be available soon, if it isn’t already by the time you read this.īecause of this bug, someone who gains physical access to your device may be able to copy authentication tokens off of it, then install those tokens on their own device to access your Dropbox data. This will be a free update for all owners of 1Password for iPhone, 1Password for iPad, and 1Password Pro (for iPhone and iPad). 1Password 3.6.5, which was submitted to Apple several days ago, fixes this. A number of iOS apps, including 1Password, have a security problem in how they handle OAuth tokens.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |