Search the Dropbox Watchdog archive
At Black Hat USA 2015, Imperva researchers showed that stealing a single synchronization token let an attacker take over a Dropbox account and read its files indefinitely — and that, in Dropbox's case, changing the password did not revoke the stolen token.
Researcher Derek Newton showed that Dropbox's desktop client stored an unencrypted authentication token (host_id) in a local config.db file — copy that one value to another machine and you owned the victim's account, with no password and no notification.
Dropbox's 2019 redesign replaced its famously minimal sync-folder app with a heavy, Electron-based 'workspace' window — a Slack-like file manager that critics said abandoned the simple, reliable syncing that made Dropbox loved.
At USENIX WOOT 2013, Dhiru Kholia and Przemyslaw Wegrzyn unpacked and decompiled Dropbox's obfuscated-Python desktop client, demonstrated SSL interception via code injection, and described a way to hijack accounts and bypass two-factor authentication.
After Apple Silicon Macs shipped in late 2020, Dropbox went nearly a year without a native build, forcing its always-on sync daemon to run under Rosetta 2 emulation — to mounting user fury — before committing to a native release in 2022.
Users complain that the Dropbox desktop app sets itself to launch at startup, embeds itself in Windows File Explorer and macOS Finder, and is difficult to fully remove — with 'failed to uninstall' errors and leftover launch agents, caches, and folders that must be cleaned out by hand.
Long-running, widely reported complaints describe the Dropbox desktop client consuming excessive CPU, disk, memory, and battery — sometimes pinning processors above 100% and draining laptop batteries even when nothing is actively syncing.