Dropbox security system cracked by two developers
According to a paper titled “Looking inside the (Drop) box”, two security researchers have successfully cracked Dropbox’s security bypassing two factor authentication and hijacking Dropbox user accounts.
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research” as stated in the document opening. Dropbox responded to the two developers clearly disagreeing: "We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a Dropbox representative said. “However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board." Dhiru kholia from Openwall-University of British Columbia and Przemyslaw Wegrzyn from CodePainters describe how to unpack, decrypt and decompile Dropbox from scratch and in full detail using new and generic techniques to reverse engineering frozen Python applications. Reverse engineering, or figuring out an app’s development by working backwards starting with its finished product, is a fairly common practice.
Their hacking workflow reveals the internal API used by the popular cloud storage client and makes it straightforward to write a portable open-source Dropbox client.
The process they applied used various code injection techniques and monkey-patching to intercept SSL data in Dropbox client.
There are a lot of cloud storage services on the market using Python and the same techniques analysed in this paper which obviously means they all might be exposed. And Dropbox is not new to this security warning as they suffered wayward code breaking authentication protocols in the past.