Over on the post “Security researcher warns over Dropbox authentication security flaw • The Register” contains this text:
“Security researcher warns over Dropbox authentication security flaw
Alert Print Post comment Retweet Facebook
Knitted in insecurity
By John Leyden • Get more from this authorPosted in Cloud, 12th April 2011 10:20 GMT
On Demand Webcast : Making the decision on hosted apps – What’s the risk and reward?
Attackers able to get their hands on a Dropbox configuration file would be able to access and download any files a user synchronises through the service without betraying any signs of compromise, a security researcher has discovered.Derek Newton discovered that a Dropbox authentication token, stored in a config file of the Dropbox directory of a Windows PC, allows access to an associated account with the file-synchronisation service – even if a user changes his password. Dropbox allows the automatic synchronisation of files between multiple computers and mobile devices. The freemium-based service works on multiple operating system platforms and mobile devices. It also offer a web-based interface to data held through an account; these are free to consumers for storage synchronisation volumes of up to 2GB.
The Windows config file might be lifted after a machine becomes compromised via a Trojan, the most obvious attack scenario. If stolen, the host_id config file can used on any other system and the breach can only be resolved by logging into an account and revoking this credential rather than simply changing passwords. Users will not be informed if a new computer is added to a synchronisation list.”