Developers hack Dropbox, show how to access to user data

Paper shows how two-factor authentication can be bypassed to gain access to user data

Two developers have cracked Dropbox's security, even intercepting SSL data from its servers and bypassing the cloud storage provider's two-factor authentication, according to a paper they published at USENIX 2013.

"These techniques are generic enough and we believe would aid in future software development, testing and security research," the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn't actually represent a vulnerability in its servers.

"We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe," a spokesperson said in an email reply to Computerworld. "In the case outlined here, the user's computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board."

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

"Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client," the paper states. "Additionally, we show how to bypass Dropbox's two-factor authentication and gain access to users' data."

The paper presents "new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world," the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how "it is possible to study how Dropbox works in detail.

"We describe a method to bypass Dropbox's two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented," the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a "black box."

"We hope that our work inspires the security community to write an open-source Dropbox client, rene the techniques presented in this paper and conduct research into other cloud-based storage systems," they said.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at  @lucasmearian or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies