Some Mac users are claiming that the desktop client of the Dropbox cloud storage service is being loaded deep into their device’s accessibility menu.
Users installing the Dropbox app are asked for permission to add it to the accessibility menu, but once there, according to Phil Stokes, author of the Applehelpwriter blog, it wasn’t easy to remove. And, if deleted, it kept reappearing, he wrote.
While Dropbox claimed it needed install this way to function correctly, Mac users were concerned as any app inside the accessibility menu can give remote attackers access to the system.
While Dropbox offered an apology last week and a rebuttal, critics were not appeased, asking for more details on how the app was loaded.
In a new post, Stokes said that with Apple’s latest release, 10.12 macOS Sierra, “hacking the Accessibility preferences is no longer possible.”
“Dropbox, like other apps, requires additional permissions to enable certain features and integrations,” a Dropbox spokesperson told SCMagazine.com on Wednesday. “The operating system on a user’s device may ask them to input their password to confirm. Dropbox never sees or receives these passwords. Reports of Dropbox spoofing interfaces, or capturing system passwords are absolutely false. We realize that we can do a better job communicating how these permissions are used, and we’re working on improving this.”
UPDATED on Sept. 22 to include statement from Dropbox.