Over-broad by default: third-party app permissions on your Dropbox

When you connect a third-party app to Dropbox via OAuth, it asks for permission to access your files. Dropbox supports scoped, app-folder-only access, but a great many integrations historically requested full-account access — the ability to read and write everything in your Dropbox — because it is the path of least resistance for developers. Users routinely grant these requests without scrutinizing them.

The consequence is concentration of risk: every app with full access is a copy of your account's reach. If that app is breached, sold, abandoned, or turns malicious, the attacker inherits broad access to your files via a valid OAuth token — no Dropbox password required and no Dropbox breach necessary. The 2024 Dropbox Sign incident, in which OAuth tokens and API keys were among the exposed data, is a concrete illustration of why tokens and scopes matter. Stale connected apps that users forgot they authorized compound the exposure.

Dropbox provides a connected-apps page where users can review and revoke access, and it has expanded scoped-permission options for developers. But the default culture of broad grants, and the difficulty of auditing what each app can really do, leaves a persistent, under-appreciated attack surface.