Man-in-the-Cloud: stealing Dropbox sync tokens to hijack accounts without a password
August 2015
At Black Hat USA 2015, Imperva researchers showed that stealing a single synchronization token let an attacker take over a Dropbox account and read its files indefinitely — and that, in Dropbox's case, changing the password did not revoke the stolen token.
What happened
In its August 2015 Hacker Intelligence Initiative report 'Man in the Cloud (MITC) Attacks,' Imperva's Application Defense Center demonstrated how popular file-sync services including Dropbox, Google Drive, Box and OneDrive could be quietly converted into attack tools. Instead of stealing a password, the attacker steals the synchronization token that the desktop client stores locally after the first login — a token that can be lifted with ordinary, low-suspicion code and replayed from the attacker's own machine to silently sync the victim's files.
Imperva's proof-of-concept tool, 'Switcher,' social-engineered a victim into installing the attacker's token, causing the victim's machine to hand a copy of its legitimate token back to the attacker. The report singled out a Dropbox-specific weakness: the synchronization token (the host_id value) was not changed or revoked when the user changed their password — it changed only when the device was explicitly unlinked. Imperva noted that revoking a stolen token was 'tricky' on Dropbox, making persistent, password-independent access especially hard to shut down.
Impact
MITC reframed cloud-storage risk around tokens rather than passwords, showing that two-factor authentication and password resets — the usual responses to account compromise — do nothing against an attacker holding a valid sync token. It pushed enterprises toward monitoring for anomalous token use and CASB controls, and underscored that local credential storage in sync clients is a high-value target. The research compounded earlier criticism (Derek Newton, 2011) that Dropbox's device tokens were dangerously durable.