7/22/2019 Developers Hack Dropbox, Show How to Access to User Data

1/2

31/08/13 Developers hack Dropbox, show how to access to user data

www.computerworld.com/s/article/print/9241984/Developers_hack_Dropbox_show_how_to_access_to_user_data?taxonomyName=Cloud+Security&taxonomy 1/2

Developers hack Dropbox, show how to access to userdataPaper shows how two-factor authentication can be bypassed to gain access to user data

Lucas Mearian

August 28, 2013 (Computerworld)

Two developers have cracked Dropbox's security, even intercepting SSL data from its servers

and bypassing the cloud storage provider's two-factor authentication, according to a paperthey

published at USENIX 2013.

"These techniques are generic enough and we believe would aid in future software development,

testing and security research," the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the

research didn't actually represent a vulnerability in its servers.

"We appreciate the contributions of these researchers and everyone who helps keep Dropbox

safe," a spokesperson said in an email reply to Computerworld. "In the case outlined here, the

user's computer would first need to have been compromised insuch a way that it would leave the

entire computer, not just the user's Dropbox, open to attacks across the board."

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw

Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in

Python.

"Our work reveals the internal API used by Dropbox client and makes it straightforward to write a

portable open-source Dropbox client," the paper states. "Additionally, we show how to bypass

Dropbox's two-factor authentication and gain access to users' data."

The paper presents "new and generic techniques to reverse engineer frozenPython applications,

which are not limited to just the Dropbox world," the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile

Dropbox from scratch. And, once someone has de-compiled its source code, how "it is possible to

study how Dropbox works in detail.

"We describe a method to bypass Dropbox's two-factor authentication and hijack Dropbox

accounts. Additionally, generic techniques to intercept SSL data using code injection techniques

and monkey patching are presented," the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to

intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on

SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform

so that it is no longer a "black box."

"We hope that our work inspires the security community to write an open-source Dropbox client,rene the techniques presented in this paper and conduct research into other cloud-based

storage systems," they said.

Lucas Meariancovers storage, disaster recovery and business continuity, financial services

http://www.codepainters.net/http://openwall.com/https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdfhttp://www.computerworld.com/s/author/592/Lucas+Mearianhttp://www.codepainters.net/http://openwall.com/https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdfhttp://www.computerworld.com/

7/22/2019 Developers Hack Dropbox, Show How to Access to User Data

2/2

31/08/13 Developers hack Dropbox, show how to access to user data

www.computerworld.com/s/article/print/9241984/Developers_hack_Dropbox_show_how_to_access_to_user_data?taxonomyName=Cloud+Security&taxonomy 2/2

infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian

or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

http://www.computerworld.com/s/author/592/Lucas+Mearianmailto:lmearian@computerworld.comhttp://rss.computerworld.com/computerworld/s/feed/keyword/LucasMearianhttp://rss.computerworld.com/computerworld/s/feed/keyword/LucasMearianhttp://twitter.com/lucasmearianhttp://twitter.com/lucasmearian