Dhiru Kholia of Openwall and the University of British Columbia, and Przemyslaw Wegrzyn of Code Painters have published a new paper demonstrating how they can reverse engineer the Dropbox client app and gain access to the user’s Dropbox cloud storage. To a degree, these are separate issues. The purpose in reverse engineering the code is firstly to show that they can (such frozen python code is designed to prevent reverse-engineering), and secondly to argue that the Dropbox client should be open source and therefore subject to greater security peer review.
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box,” they say. “We hope that our work inspires the security community to write an open-source Dropbox client, refine the techniques presented in this paper and conduct research into other cloud based storage systems.” The reverse engineering techniques are generic and can be applied to any similar python code.
A user’s Dropbox account can be hijacked by learning the user’s host-id and host_int values. These are used by the system to provide automatic login without the use of the user’s access credentials. “host_id can be extracted from the encrypted SQLite database [on the user’s local computer] or from the target’s memory using various code injection techniques,” say the researchers. “host_int can be sniffed from Dropbox LAN sync protocol traffic.”
Once an ‘attacker’ has got these, he or she can use them to access the user’s Dropbox account – even if two-factor authentication has been set. “We found that two-factor authentication (as used by Dropbox) only protects against unauthorized access to the Dropbox’s website.” Using host_id and host_int makes this an authorized access.
What is clear, however, is that an attacker will need to own the user’s local device in order to do this – something not lost on Dropbox. A spokesman told Business Insider, “We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.”
In reality, this research is an academic exercise. It throws more light on the workings of Dropbox than Dropbox wished to be known, and makes a case for an open source Dropbox client. It describes a way in which Dropbox accounts can be hijacked; but only after the user’s device has itself been hijacked. At this point, the attacker will have no need to access the cloud storage since he will already have access to the local storage.