Major Security Flaw in Dropbox on Windows

During the installation, Dropbox saves the login credentials in %APPDATA%\Dropbox\config.db

The problem: The file can be copied to another computer or account and this simple operation gives an attacker the same credentials as the victim.

Even worse: Changing the password doesn’t help since the credentials don’t depend on the password. So even after a password change, the attacker can still access the Dropbox account!

Kudos go to Derek Newton for finding this gaping hole.

Original article: Dropbox authentication: insecure by design

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.