Python regurgitates Dropbox secrets to boffins
Researchers pick over the entrails to spot vulns
A couple of security researchers have set spines shivering in the cloud world by demonstrating that Dropbox's obfuscated code can be reverse-engineered, along the way capturing SSL data from the service's cloud and bypassing the two-factor authentication used to secure user data.
However, as is clear from the Usenix research paper and has been confirmed by Dropbox, their work doesn't create a generic attack vector. The attacks only work if the attacker already has unfettered access to the target machine.
As Dropbox puts it: “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.” (More on this in a minute.)
Perhaps the most interesting aspect of the work by Openwall's Dhiro Kholia and CodePainters' Przemyslaw Wegrzyn is that they were able to reverse-engineer the heavily protected Dropbox Python code.
“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” they write. As a result, they say, it should be possible for researchers to subject Dropbox to more rigorous security analysis.
The researchers also observe that Dropbox's two-factor authentication, used for accessing its Website, is not supported in the client software. “This implies that it is sufﬁcient to have only the host_id value to gain access to the target’s data stored in Dropbox.”
However, the host_id value is stored on the local machine in an encrypted SQLite database – meaning it can only be recovered by someone with access to that machine. ®