Security researcher Derek Newton explored the inner workings of several popular file synchronization tools, and decided to start with Dropbox due to its popularity. In a nutshell, Newton made the startling discovery that authentication in Dropbox was tied to a single hash code stored as a plain text file, created when a computer (or smartphone) is first linked to an account. What proved disturbing though, was that the unchanging hash code continues to work even after a password change; gaining access to a hash code effectively gives an attacker lifetime access to an account--unless the specific device is specifically unauthorized.

In response to the original blog post by Newton, Dropbox commented that "the security battle is already lost" should an attacker gain physical access to a computer in the first place. Noting that Dropbox takes security very seriously, Dropbox said that it did not "agree with the assertion that there is a security flaw," using the use of stolen session cookies to illustrate the comparable risks.

While I won't personally peg this is a "security flaw," this does not strike me as a robust security implementation either. For example, it would be trivial for a social engineering attempt where a copy of a specific file--config.db, is requested and obtained. Ditto to a new but limited zero-day vulnerability where only known files can be extracted. I think a response by user Oliver summed it up pretty well with "the difference is that I can configure my web browser to not store cookies...in the DropBox auth case, there is no time limit."

For more on this story:
- check out this article at PCWorld
- check out this blog post at Derek Newton's website

Related Article:
Dropbox hits version 1.0