Dropbox might be the most widely used cloud storage and sharing service in the world, with over 25 million users and adding about 200 million files daily, but its security is constantly being questioned, and not just because of the NSA.
The latest concerns came after two security researchers managed to reverse engineer the Dropbox client which enabled them to bypass it’s two-factor authentication and hijack Dropbox accounts. Though reverse engineering is a common way to bypass security, Dhiru Kholia and Przemyslaw Wegrzyn’s efforts are unique as they figured out a way to reverse engineer the client even though it was an obfuscated application written in Python.
The method has been used before to access Dropbox, but was only ever a partial success. However, Dhiru and Wegrzyn claim they can reverse engineer several versions of the Dropbox client software.
“We show how to unpack, decrypt and decompile Dropbox from scratch and in full detail,” wrote Kholia and Wegrzyn.
“This paper presents new and generic techniques to reverse-engineer frozen Python applications. Once you have the de-compiled source code, it is possible to study how Dropbox works in detail.”
Once its been unpacked, everything on Dropbox can be exposed. The researchers were able to intercept SSL traffic from Dropbox servers, bypass Dropbox’s two-factor authentication, and create open-source Dropbox clients.
Fortunately, with each new version of Dropbox, the client’s security is tightened, something which resulted in the elimination of one or two attack vectors and prevents reverse engineering attacks. This goes to show how important it is to always have your software updated to the latest version.
“We believe that the arms race between software protection and software reverse engineering will go on. Protecting software against reverse engineering is hard but it is definitely possible to make the process of reverse engineering even harder,” Kholia and Wegrzyn stated.
Dropbox employs anti-reverse engineering to hide and protect their codes but Kholia and Wegrzyn stated that going to extreme lengths to protect the source code may be doing more harm than good.
“We wonder what Dropbox aims to gain by employing such anti-reversing measures,” reads the research paper.
“Most of Dropbox’s ‘secret sauce’ is on the server-side, which is already well protected. We do not believe these anti-reverse-engineering measures are beneﬁcial for Dropbox users and for Dropbox.”
Security expert Robert Schifreen stated that suddenly opening up the source code will render it vulnerable as it would allow the creation of malicious look-alike apps that collect login credentials and other activities that put your account at risk.
“[These are] the perils of writing and distributing interpreted code, even if obfuscated,” Schifreen told TechWeekEurope.
So are we safe using Dropbox? Not entirely, but its software engineers are clearly doing their best to make it secure for users. A spokesperson for DropBox was quick to contact SiliconANGLE to deny that the vulnerability presented a security risk, saying:
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
And with NSAgate still on the plate, the Dropbox vulnerability might seem somewhat less of a concern anyway.