Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.
“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.
Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.
“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”
The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.
The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.
“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.
The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.
The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”
Comments