Dropbox app security issue

I just noticed that when the admin account connects their drop box account for the new feature that was released in the new FW update. Any user who have access to the dashboard can view the account information. I attached an image below to show you that I was signed in to a dummy account to the dashboard and was able to see my admin linked drop box account. In addition. the users can not only sign you out of the app which will effect the admin account on its own, but can move the sync location and cause it to begin syncing files from the dropbox to the newly selected folder. Which means that they would then get access to the files you have stored on your dropbox account NAS folder. This is a HUGE turn off for this feature as for one I dont want users seeing my drop box criteria, and two it would have been nice if each user could link their own account and sync info back and forth. 

Hello, remember to setup a password for your dashboard so only you can access it. For other feature request you can post any suggestions in the ideas board.


That still does not resolve the problem at all. Another flawed problem with the MyCloud series

sxc7885 wrote:

That still does not resolve the problem at all. Another flawed problem with the MyCloud series

I’m not sure I’m getting your point.  Password protecting the Dashboard makes it only available to the administrator.  You give admin priviledges to everyone and they’ll be able to see everything.  What am I missing?

I will have our product people look into this in any case.

Let me rephrase the issue and maybe then it will make more sense.

If I log into the my account(ADMIN) and sign in to my drop box account to sync files into my personal document folder no one else should be able to see them without permission to that folder(which only I have).

HOWEVER, if you log into the dashboard under your account(BILL_S) and go to the apps section you see my dropbox info and can even remove the service, change the folders that are being synced, and chance the place they sync to. 

I was able to use a second user account to do just this in a test I ran on my server. 

While the other employee mentioned to only allow dashboard access to me and to set a password so people cant get into it. There are some that need access to the dashboard for file upload/download since they cant install the desktop app on certain devices. 

sxc7885 - Hmm…it seems the EX4’s dashboard allows access to the apps tab to non-admin users, according to your screenshot. The EX2’s dashboard doesn’t (see below). I see your problem on the EX4.

EDIT: Well, never mind - I realized…it could be because I don’t have the dropbox or any app added on my EX2 (Dropbox support isn’t even supported on current EX2’s firmware). But I think I see sxc7885’s issue …he clearly logged in as a non-admin user…not as an admin - and therefore does not have full access to the dashboard that the admin user would have.

We have passed this on to be dealt with as a security issue.  Thanks for putting up with my thick-headedness.

Thank you for forwarding it on. I should have been more detailed in my orginal posting. 

No problem.