Developers Hacked Dropbox, Bypassed Two-Factor Authentication
Two developers allegedly hacked cloud storage provider Dropbox, bypassing the two-factor authentication and intercepting SSL data from the company’s servers, according to a paper published at USENIX 2013. Dhiru Kholia, from the Openwall open source project, and Przemyslaw Wegrzyn, from consulting agency CodePainters, managed to hack the cloud storage provider through reverse-engineering.
“Before trusting our data to Dropbox, it would be wise (in our opinion) to know more about the internals of Dropbox,” the researchers said. “Questions about the security of the uploading process, two-factor authentication and data encryption are some of the most obvious.”
The paper revealed the storage system’s internal API and made it “straightforward” to write a portable open-source Dropbox client, according to the developers. It also showed how to bypass two-factor authentication and gain access to user data.
Dropbox denied the research discovered vulnerabilities on its servers. “We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” the company’s representatives told Computerworld.
“In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
The techniques the developers used to reverse engineer frozen Python applications are not limited to Dropbox. The researchers also admitted they are generic enough, but they would help in future software development, testing and research.
In August last year, hundreds of users were spammed after their Dropbox accounts were hacked. The company introduced two-factor authentication, automated mechanisms to monitor suspicious activity, and an activity report page where users can view all logins.
The file storage system claims more than 100 million users who upload over a billion files a day.