

Possible security vulnerability in Dropbox? - RockyMcNuts
http://thenextweb.com/industry/2011/04/08/dropbox-security-hole-could-let-others-access-your-files/
A possible security hole in Dropbox ?<p>"Newton’s concept, tested on a Windows machine, uses Dropbox’s own configuration files; configuration data, file/directory listings, hashes which are stored in numerous SQLite database files located in %APPDATA%\Dropbox. Inside one file lies a database row containing a users “host_id”, which is used to authenticate each individual user.<p>Modifying this file and changing the host_id to that of another Dropbox user automatically authenticates the account, providing complete access to that person Dropbox until the user realises that there is a new computer in the “Linked Devices” section of the Dropbox website."<p>Dropbox says there is no issue, a successful attack requires access to the user's computer (which seems inconsistent with the above), and that this is similar to stealing someone's cookies and using them to access Web services.<p>I would think for a service as potentially sensitive as Dropbox, something more secure than cookies could be used, and they could become invalid when used from a different machine.
======
nbpoole
See also: <http://news.ycombinator.com/item?id=2421110>

