During the installation, Dropbox saves the login credentials in %APPDATA%\Dropbox\config.db
The problem: The file can be copied to another computer or account and this simple operation gives an attacker the same credentials as the victim.
Even worse: Changing the password doesn’t help since the credentials don’t depend on the password. So even after a password change, the attacker can still access the Dropbox account!
Kudos go to Derek Newton for finding this gaping hole.
Original article: Dropbox authentication: insecure by design