I.T. Security and Linux Administration

Aug 29 2013   3:35PM GMT

Dropbox Client Reverse Engineered

Eric Hansen Eric Hansen Profile: Eric Hansen

At this year’s USENIX talks, an interesting presentation was given describing how two people reversed engineered Dropbox’s client.  This project, performed by Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, showed how to both intercept SSL traffic (thus being able to manipulate the API calls) as well as bypass two-factor authentication.  The authors also note, however, that for this attack to be efficient you need to already have compromised the machine:

Kholia concurred that hijacking a Dropbox client first requires hacking an existing vulnerability on the target user’s machine, which can be executed remotely.

So if you’re wanting to peak at your friend’s Dropbox account, you’ll have to dig deeper into the architecture to even attempt it.  In the end they still proclaim Dropbox is a viable and efficient tool for its purpose, and were looking to open up the eyes of the IT security community and not devalue the usefulness of Dropbox.

From what I’m able to gather being able to intercept the SSL traffic opens up the flood gates of possibilities.  You’ll be able to both see the data before encryption and after decryption and snoop out details you want/need.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: