Posted by: Eric Hansen
when relevant content is
added and updated.
At this year’s USENIX talks, an interesting presentation was given describing how two people reversed engineered Dropbox’s client. This project, performed by Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, showed how to both intercept SSL traffic (thus being able to manipulate the API calls) as well as bypass two-factor authentication. The authors also note, however, that for this attack to be efficient you need to already have compromised the machine:
Kholia concurred that hijacking a Dropbox client first requires hacking an existing vulnerability on the target user’s machine, which can be executed remotely.
So if you’re wanting to peak at your friend’s Dropbox account, you’ll have to dig deeper into the architecture to even attempt it. In the end they still proclaim Dropbox is a viable and efficient tool for its purpose, and were looking to open up the eyes of the IT security community and not devalue the usefulness of Dropbox.
From what I’m able to gather being able to intercept the SSL traffic opens up the flood gates of possibilities. You’ll be able to both see the data before encryption and after decryption and snoop out details you want/need.