⟵ home

Dropbox 0.7.110 security issue

Reading this Dropbox help page (see the ‘For our advanced users’ box) I discovered an interesting Dropbox feature - and security issue: the cache.

Dropbox will store a local cache of files, I suppose mainly for performance reasons. This means that if you delete a file, probably you will be able to recover it also offline.

This is cool, but what about privacy?

Two considerations:

  1. if I delete a file, I imagine it will not be still available on my computer, at least not at a high-filesystem-level.
  2. (more importantly) this way I do not have control on where my files are stored: Dropbox 0.7.110 does not allow to edit cache path: it is hard-coded to %APPDATA%\Dropbox. This means it is stored in the \User\AppData\Roaming\cache folder.

Roaming is the critical bit because it is important to note that the roaming directory is synced on Active Directory domains, so a copy of my cache files is stored on the servers of my organization, and on other workstations I logged in, also on those I logged in once. Probably a copy will be stored also on my organization’s back-ups, on shadow copies, etc…! If Dropbox would have stored the cache in the Local profile, at least those files would not spread on all computers I use.

But that wouldn’t be a good solution also: if I sync my files on a USB drive or on an encrypted partition (like TrueCrypt), a clean copy of my files would remain available on the main drive of my machine, and also if I delete those files manually, low-level data would remain intact and clean. Next versions of Dropbox will solve this problem moving the cache inside the My Dropbox folder, so, for those of you that need a fix for this issue I suggest to open a ticket on Dropbox asking to have access to the latest beta.

This page was published on June 26, 2010