[lucb1e]

Read the paper. They haven't actually found a way to really bypass two-factor authentication and all other security measures. With their findings, you can hijack an account if:

- you feel like cracking a 256-bit random value remotely (can't locally bruteforce it), or

- you have filesystem access.

I'd say both are irrelevant. You can't crack 256-bit values locally, let alone if you have to check the value remotely, and with filesystem access I imagine you can do a whole lot more than just uploading files to someone's Dropbox.

Bypassing two-factor authentication with either of the options is possible though, and I can see the issue, but this is by design. I don't think you want to have to enter your credentials (username, password, second factor) every single time you store a file or check for updates.

[captainmuon]

If you have filesystem (write) access, you don't have to hack Dropbox to upload files, just put the files in the appropriate folder. And if you can execute code, you can just remote control the UI (move the cursor, type) and do anything the user can.

But I'm glad to hear that they found no "actual" weakness, that would enable a hacker with only my account name, or who is on my WiFi, to access my Dropbox.