Researchers detail attacks for compromising Dropbox user accounts
Dropbox, the popular file hosting service that has managed to amass over 100 million users in the five years since it was launched, has had its fair share of problems: security glitches, hacks, being used as a malware hosting site, etc.
The latest one are two researchers that not only managed to reverse engineer (unpack, decrypt and decompile) the Dropbox client software (i.e. desktop app), but have documented the step-by-step process and have made it public via a paper they presented at the recently concluded USENIX Security Symposium.
In it they presented new techniques to reverse engineer frozen Python applications such as (but not limited to) the Dropbox client, to intercept SSL traffic from its servers, and a method they used to bypass Dropbox’s two factor authentication and hijack Dropbox accounts.
“Once you have the decompiled the source-code, it is possible to study how Dropbox works in detail,” they noted, adding that their work reveals the internal API used by the Dropbox client, which should make it easy for others in the security community to write an open-source Dropbox client.
Despite the fact that Dropbox’ developers are doing a good job at patching the vulnerabilities they misused to perform their attacks, they pointed out that they do not believe that the anti-reverse engineering measures the developers deploy are beneficial for Dropbox users and for Dropbox.
“Most of the Dropbox’s ‘secret sauce’ is on the server side which is already well protected,” they say, and point out that users should be able to know the insides and trust the software they use, especially if they entrust it with their data.
UPDATE:
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client,” a Dropbox spokesperson commented the matter.
“In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”