Skip to content

Dropbox API Key

Service Name: Dropbox

Service Description: Dropbox is a cloud storage and file synchronization service that allows users to store files on remote servers, synchronize files across devices, and share files with other users. It offers both personal and business solutions for file storage, sharing, and collaboration.

Service Address: https://www.dropbox.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the team level for Dropbox Business accounts, but not at the individual API key level.

Secret Access Scope: Depending on the type of key (App OAuth Token, App Credentials, or Legacy Token), it can grant access to user files, folders, and account information through the Dropbox API.

Secret Revokement URL: https://www.dropbox.com/account/security

Secret Example: sl.BXhM2ADmIeJP9_8ufRsQrdJ-CjsIQYbBfJdM2F_EXAMPLE

Suspicious Activity Investigation Instructions:

  • Review the Dropbox account's recent activity logs for unauthorized file access or modifications.
  • Check for unknown devices or locations that have accessed the account.
  • Examine API usage logs for unusual patterns or unauthorized applications.
  • Verify if any files have been shared with unexpected users or made public.
  • Check for any new third-party app integrations that were not authorized.

Mitigation Instructions:

  • Immediately revoke the compromised API token through the Dropbox developer console.
  • For OAuth tokens: Navigate to Connected apps and remove the associated application.
  • For App credentials: Go to Dropbox App Console, select the app, and reset the app secret.
  • Enable two-factor authentication on the Dropbox account if not already enabled.
  • Review and update password for the associated Dropbox account.
  • Check for and remove any unauthorized file shares or public links.
  • Generate a new API key with appropriate scopes and permissions.
  • Implement proper secret management practices to securely store the new API key.