Major Security Flaw in Dropbox on Windows

During the installation, Dropbox saves the login credentials in %APPDATA%\Dropbox\config.db

The problem: The file can be copied to another computer or account and this simple operation gives an attacker the same credentials as the victim.

Even worse: Changing the password doesn’t help since the credentials don’t depend on the password. So even after a password change, the attacker can still access the Dropbox account!

Kudos go to Derek Newton for finding this gaping hole.

Original article: Dropbox authentication: insecure by design

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: