How sync tokens from Dropbox, OneDrive, and Google Drive are hijacked without ever touching a password — and the privacy, jurisdiction, and data isolation challenges that define cloud forensics and compliance.
Sign in to mark this article as read and track your progress.
Man-in-the-Cloud (MitC) is an attack against cloud synchronisation services — Dropbox, OneDrive, Google Drive, Box — that does not require the victim password or MFA. It targets the synchronisation tokens these services store locally on devices.
Cloud storage clients authenticate once and receive a long-lived sync token (OAuth refresh token or similar) that is stored locally. The application uses this token to sync files without re-prompting for credentials.
Step 1 — Malware or physical access obtains the victim machine.
Step 2 — Token theft: The attacker locates the sync token storage location:
| Platform | Windows Storage Location |
|---|---|
| Dropbox | %APPDATA%\Dropbox\instance1\sync_engine_db.sqlite |
| OneDrive | Windows Credential Manager (HKCU\...\Windows Credential) |
| Google Drive | %LOCALAPPDATA%\Google\DriveFS\... |
Step 3 — Token replacement: The attacker installs their own token in a cloud client on an attacker-controlled machine, gaining full sync access without triggering MFA.
Step 4 — Persistence: The attacker can receive all future files the victim syncs, exfiltrate existing files, or plant malicious files in the sync folder.
Step 5 — Token swap back: The attacker replaces the victim token, leaving no trace in authentication logs (no login event was ever generated).
Why this is dangerous: There is no authentication event to alert on. Standard security monitoring misses this attack entirely because no login occurs.
When you store data in the cloud, you face a complex overlap of jurisdictions:
Key regulations affecting Indian cloud deployments:
| Regulation | Jurisdiction Implication |
|---|---|
| IT Act 2000 | Sensitive personal data processed in India must follow SPDI rules |
| DPDP Act 2023 | Data principals (Indian citizens) have rights regardless of where data is stored |
| RBI IT Framework | Payment system data must be stored exclusively in India |
| US CLOUD Act 2018 | US authorities can compel US cloud providers for data regardless of storage location |
Cloud data deletion is not as simple as pressing delete:
The secure solution is cryptographic erasure — encrypt data with a unique key, then delete the key. Without the key, the data is computationally irretrievable even if the storage blocks remain.
Cloud providers use hardware, hypervisor, and software controls to isolate tenants. Failures at each layer create different risk profiles:
Man-in-the-Cloud attacks exploit the convenience mechanisms of cloud synchronisation. Privacy in the cloud is a legal, technical, and operational challenge simultaneously. Understanding both informs both your threat model and your compliance obligations.