Why does Dropbox ask for your computer password

Tricking users into giving up their admin password is unethical hacking. Dropbox needs to respond and remove this hack.

The thing, Rich, is that there is absolutely no reason for Dropbox not to go through the regular security channels already in OS X. They could just as easily have used Apples APIs to do the same thing instead of doing something that is essentially a "hack". They create their own permission window which gives the illusion that it's OS X asking you, not Dropbox. It's deceitful and extremely weird.

There is no excuse for dropbox to re-add itself, especially after you removed the application. They are hacking users and hurting them.

I've never heard of Project Harmony and don't use integration with MS Office, so I guess that's why I haven't had a problem.

I see that Dropbox has created a help article about this. Still, the approach doesn't sit well with me. I can understand that certain elevated permissions are required for some features. Dropbox is the kind of tool that needs to be integrated into the OS to provide all of the capabilities that it does. The way it goes about this is what concerns me.

It needs to be clearer about what it needs permissions for. For example, I don't recall seeing any notice that the app would automatically update itself. Every other app I use that has an autoupdate function (including macOS) asks if I want auto updates. There are very good reasons to give the user control over this function (being on a low bandwidth connection, needing to test software changes before using them in production, etc.). Also, if accessibility is only required for MS Office integration, ask if I want to use it rather than installing it and changing accessibility settings. There could be very good reasons why I wouldn't want the integration.

Dropbox also should not give itself the ability to make changes to the system that require elevated privileges without prompting. If I remove a feature like accessibility, Dropbox should not add it back without asking permission. What if a hacker figures out how to hack the Dropbox client into letting malware have the same privileges? This may be a very rare scenario, but how do the ease of use benefits outweigh the security needs? If Dropbox needs access that I took away, it can detect it and prompt me to allow it again, warning me what will break and, if appropriate, letting me keep it off permanently.

You better have a really good [removed by moderator] explanation for doing this, Dropbox.. I don't pay you to steal my login password.

A person claiming to be a dropbox employee responded to this on the original post downplaying the thing. I think an official statement would be nice.

https://news.ycombinator.com/item?id=12463338

I don't have Office.  And even if I did, I wouldn't care about the integration.  Dropbox should prompt users specifically for the office integration bit, and if they consent should then do the admin prompt and set up the Accessibility insertion.  I still think it's a bad idea, but there's no better solution for cross-app control like that.

At the very least, Dropbox should absolutely not be so pernicious about virally restoring its Accessibility permissions.  Like… literally checksumming the SQL injection executable and overwriting it on startup is insane.  The only way that executable could get overwritten (but not removed) to something other than the what Dropbox created is if a user is actively trying to prevent Dropbox from doing its Accessibility tricks.

I would be a lot more OK with this situation if it were possible to opt out as a user without generating admin prompts every time I start Dropbox.  I mean, it's still a massive breach of user trust, but at least it would be a tenable situation.  But as things are…  Dropbox is basically acting as a virus which hasn't yet done anything with its control of my computer.

"Trust is the foundation of our relationship with hundreds of millions of people and businesses around the world."

https://blogs.dropbox.com/dropbox/2016/06/transparency-report-jul-dec-2015/ 

I would like a statement from Dropbox CEO accepting how seriously this behaviour is a betrayal of trust, explaining how Dropbox came to decide that this working in this way was acceptable, and what changes are going to be made to stop similar choices being made in the future.

Regardless of if it was good or bad of you to use accessibility permissions - please stop asking for the master password on every log in. Please redesign your permissions dialog sequence to use the latest API to ask for password ONCE.

If a user has already said no, you definitely do not need to ask again at every login... its just a terrible user experience and very annoying.

I don't recall if this was mentioned and I couldn't find anything about it by Googling, but it appears that there is similar behavior with the Finder extension setting. Specifically, Dropbox installs and enables a Finder extension. That's okay, other apps do the same. However, if I disable it (I don't like my Finder menus being cluttered), it comes back a few seconds later.

I'm having a hard time understanding why Dropbox insists on ignoring the user? If I remove a setting, it is a bad user experience to just set it back again. If it is critical to the operation of the app, give me a message and let me decide if I want a degraded experience.

With Dropbox making multiple changes to my computer without my consent and reapplying these changes when I remove them, I quickly lose trust. Unfortunately, I use many apps that leverage Dropbox in some way. It will take me a lot of work to replace these programs. I will go through the trouble if Dropbox continues this unfriendly behavior.