Over-broad OAuth scopes: the standing risk from third-party apps with full Dropbox access
2014–2026
Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.
What happened
Dropbox's developer platform uses OAuth, where users grant apps access via tokens. For years many integrations requested the broadest possible 'full Dropbox' access by default, because over-scoping is easier for developers and users tend to approve consent screens without scrutiny. The result is a large blast radius: a token granted once keeps working — often for years — until the user explicitly revokes it, and the activity flows through Dropbox's legitimate API, so abuse can look like normal use and evade traditional controls.
Dropbox itself has moved to mitigate this, introducing scoped permissions and a 2021 migration that pushed apps toward least-privilege scopes and short-lived access tokens with refresh tokens, and advising during app review that developers not request unnecessarily broad access. But the underlying risk endures wherever users have granted standing full-access tokens to apps they no longer use or that later get compromised — and the 2024 Dropbox Sign breach, which exposed customers' OAuth tokens and API keys, made the danger of leaked tokens concrete.
Impact
Over-broad, long-lived OAuth grants turn the convenience of integrations into a persistent supply-chain exposure: compromise one popular app and you can exfiltrate the files of everyone who connected it. The pattern keeps OAuth-token hygiene — auditing connected apps and revoking stale grants — a recurring user-security burden, and frames why token theft (rather than password theft) has become the more potent threat to cloud-storage accounts.