Developers Hack Dropbox, Show How to Access to User Data
-
Upload
weverton-carvalho -
Category
Documents
-
view
216 -
download
0
Transcript of Developers Hack Dropbox, Show How to Access to User Data
-
7/22/2019 Developers Hack Dropbox, Show How to Access to User Data
1/2
31/08/13 Developers hack Dropbox, show how to access to user data
www.computerworld.com/s/article/print/9241984/Developers_hack_Dropbox_show_how_to_access_to_user_data?taxonomyName=Cloud+Security&taxonomy 1/2
Developers hack Dropbox, show how to access to userdataPaper shows how two-factor authentication can be bypassed to gain access to user data
Lucas Mearian
August 28, 2013 (Computerworld)
Two developers have cracked Dropbox's security, even intercepting SSL data from its servers
and bypassing the cloud storage provider's two-factor authentication, according to a paperthey
published at USENIX 2013.
"These techniques are generic enough and we believe would aid in future software development,
testing and security research," the paper says in its abstract.
Dropbox, which claims more than 100 million users upload more than a billion files daily, said the
research didn't actually represent a vulnerability in its servers.
"We appreciate the contributions of these researchers and everyone who helps keep Dropbox
safe," a spokesperson said in an email reply to Computerworld. "In the case outlined here, the
user's computer would first need to have been compromised insuch a way that it would leave the
entire computer, not just the user's Dropbox, open to attacks across the board."
The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw
Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in
Python.
"Our work reveals the internal API used by Dropbox client and makes it straightforward to write a
portable open-source Dropbox client," the paper states. "Additionally, we show how to bypass
Dropbox's two-factor authentication and gain access to users' data."
The paper presents "new and generic techniques to reverse engineer frozenPython applications,
which are not limited to just the Dropbox world," the developers wrote.
The researchers described in detail how they were able to unpack, decrypt and decompile
Dropbox from scratch. And, once someone has de-compiled its source code, how "it is possible to
study how Dropbox works in detail.
"We describe a method to bypass Dropbox's two-factor authentication and hijack Dropbox
accounts. Additionally, generic techniques to intercept SSL data using code injection techniques
and monkey patching are presented," the developers wrote in the paper.
The process they used included various code injection techniques and monkey-patching to
intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on
SSL data in other commercial products as well, they said.
The developers are hoping their white hat hacking prompts Dropbox to open source its platform
so that it is no longer a "black box."
"We hope that our work inspires the security community to write an open-source Dropbox client,rene the techniques presented in this paper and conduct research into other cloud-based
storage systems," they said.
Lucas Meariancovers storage, disaster recovery and business continuity, financial services
http://www.codepainters.net/http://openwall.com/https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdfhttp://www.computerworld.com/s/author/592/Lucas+Mearianhttp://www.codepainters.net/http://openwall.com/https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdfhttp://www.computerworld.com/ -
7/22/2019 Developers Hack Dropbox, Show How to Access to User Data
2/2
31/08/13 Developers hack Dropbox, show how to access to user data
www.computerworld.com/s/article/print/9241984/Developers_hack_Dropbox_show_how_to_access_to_user_data?taxonomyName=Cloud+Security&taxonomy 2/2
infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian
or subscribe to Lucas's RSS feed . His e-mail address is [email protected].
See more by Lucas Mearian on Computerworld.com.
http://www.computerworld.com/s/author/592/Lucas+Mearianmailto:[email protected]://rss.computerworld.com/computerworld/s/feed/keyword/LucasMearianhttp://rss.computerworld.com/computerworld/s/feed/keyword/LucasMearianhttp://twitter.com/lucasmearianhttp://twitter.com/lucasmearian