A Dropbox 0.7.110 security issue
Reading this Dropbox help page (see the ‘For our advanced users’ box) I discovered an interesting Dropbox feature: the cache. Dropbox will store a local cache of files, I suppose mainly for performance reasons. This means that if you delete a file, probably you will be able to recover it also offline.
This is cool, but what about privacy? Two considerations:
- if I delete a file, I imagine it will not be still available on my computer, at least not at a high-filesystem-level.
- (more important) this way I do not have control on where my files are stored: Dropbox 0.7.110 does not allow to edit cache path: it is hard-coded to
%APPDATA%\Dropbox. This means it is stored in the\User\AppData\Roaming\cachefolder.
Roaming is underlined because it is important to note that the roaming directory is synced on Active Directory domains, so a copy of my cache files is stored on the servers of my organization, and on other workstations I logged in, also on those I logged in once. Probably a copy will be stored also on my organization’s back-ups, on shadow copies, etc…!
If Dropbox would have stored the cache in the Local profile, at least those files would not spread on all computers I use, but that wouldn’t be a good solution also: if I sync my files on a USB drive or on an encrypted partition (like TrueCrypt), a clean copy of my files would remain available on the main drive of my machine, and also if I delete those files manually, low-level data would remain intact and clean.
Next versions of Dropbox will solve this problem moving the cache inside the My Dropbox folder, so, for those of you that need a fix for this issue I suggest to open a ticket on Dropbox asking to have access to the latest beta.