Researchers reverse engineer Dropbox

Cloud-based file hosting site Dropbox was recently reverse engineered by a software developers seeking to conduct security analysis on the platform.

In their paper titled “Looking Inside the (Drop) box,” Dhiru Kholia, a JtR, Ettercap and hashkill developer with the Openwall Project and the University of British Columbia and Przemyslaw Wegrzyn, of, described how to break into Dropbox’s “frozen Python applications” and bypass its two factor authentication and ultimately hijack accounts.

Reverse engineering in itself is not a malicious attack. For years researchers have used the technique to look into the workings of various products. Reverse engineering software is a more recent practice. Original developers of the software typically work to “harden” its defense to prevent tinkering, while other developers seek out ways to get pass the “obfuscation.”

Today Dropbox issued a statement saying the company “appreciates the contributions” of  Kholia and Wegrzyn as well as other researchers who want to keep Dropbox safe. The company, however, added that the research “does not present a vulnerability in the Dropbox client.”

“In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” a Dropbox spokesperson said.

The researchers reported on the anti-reversing techniques used by Dropbox and described methods of breaking through them.

Kholia and Wedrzyn said that the Dropbox platform has not been previously “analyzed extensively from a security standpoint” and that previous security analysis was “heavily censored.”

“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” the duo said. “Dropbox will no longer be a black box.”

The paper also detailed procedures for intercepting SSL data and new ways to hijack Dropbox accounts.

Kholia and Wegrzyn’s paper provided some suggestions on how Dropbox can strengthen its defences but also wondered why Dropbox would want to want to guard against reverse engineering in the first place.

“That being said, we wonder what Dropbox aims to gain by employing such anti-reversing measures,” they said. “Most of the Dropbox ‘secret sauce’ is on the server side which is already well protected. We do not believe that any anti-RE measures are beneficial for Dropbox users and for Dropbox.”

Read the full text of Looking inside the (Drop) box here




Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now