Cloud-based file hosting site Dropbox was recently reverse engineered by a software developers seeking to conduct security analysis on the platform.
In their paper titled “Looking Inside the (Drop) box,” Dhiru Kholia, a JtR, Ettercap and hashkill developer with the Openwall Project and the University of British Columbia and Przemyslaw Wegrzyn, of CodePainters.com, described how to break into Dropbox’s “frozen Python applications” and bypass its two factor authentication and ultimately hijack accounts.
Reverse engineering in itself is not a malicious attack. For years researchers have used the technique to look into the workings of various products. Reverse engineering software is a more recent practice. Original developers of the software typically work to “harden” its defense to prevent tinkering, while other developers seek out ways to get pass the “obfuscation.”
Today Dropbox issued a statement saying the company “appreciates the contributions” of Kholia and Wegrzyn as well as other researchers who want to keep Dropbox safe. The company, however, added that the research “does not present a vulnerability in the Dropbox client.”
“In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” a Dropbox spokesperson said.
The researchers reported on the anti-reversing techniques used by Dropbox and described methods of breaking through them.
Kholia and Wedrzyn said that the Dropbox platform has not been previously “analyzed extensively from a security standpoint” and that previous security analysis was “heavily censored.”
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” the duo said. “Dropbox will no longer be a black box.”
The paper also detailed procedures for intercepting SSL data and new ways to hijack Dropbox accounts.
Kholia and Wegrzyn’s paper provided some suggestions on how Dropbox can strengthen its defences but also wondered why Dropbox would want to want to guard against reverse engineering in the first place.
“That being said, we wonder what Dropbox aims to gain by employing such anti-reversing measures,” they said. “Most of the Dropbox ‘secret sauce’ is on the server side which is already well protected. We do not believe that any anti-RE measures are beneficial for Dropbox users and for Dropbox.”