Security researchers have published a research paper on how they bypassed the security features of cloud-based...
storage service Dropbox and gained access to private user files.
Dhiru Kholia of Openwall and Przemysław Wegrzyn of CodePainters said although service has more than 100 million users, the platform had previously not been analysed extensively enough from a security standpoint.
The said their goal is to get Dropbox to create an open source version, which would mean that anyone could look at its code and verify that the service is secure.
The researchers said they were able to gain unauthorised access to files, despite the fact that Dropbox added security features after it was hacked a year ago.
Security measures aimed at attracting enterprise users included encryption and two-factor authentication, but both were bypassed by Kholia and Wegrzyn.
They were able to reverse engineer the portion of Dropbox that runs on a user's computer, despite the fact that Dropbox was written in Python using techniques aimed at preventing reverse engineering.
Read more on Dropbox
- Dropbox security concerns: Time to find secure Dropbox alternatives?
- Should you back up Dropbox contents?
- Dropbox reseller program launches in company's bid for business customers
- Beyond Dropbox: Enterprise cloud storage alternatives
- Dropbox for Teams sharpens enterprise focus with admin enhancements
- Unsafe password practices cause Dropbox spam scare
- CloudPrime's QuickDrop offers Dropbox alternative
- Dropbox vs. Google Drive: Which is better for business?
- Dropbox for Business makes enterprise file sharing move with AD tie-in
The means that many other cloud services that use Python and the same anti-hacking techniques could be at risk, according to Business Insider.
The researchers said they found that two-factor authentication as used by Dropbox protects only against unauthorised access to the Dropbox’s website.
“The Dropbox internal client API does not support or use two-factor authentication. This implies that it is sufficient to have only the host_id value to gain access to the target’s data stored in Dropbox,” they said.
However, Dropbox has issued a statement, saying it does not believe that the research presents a vulnerability in the Dropbox client.
“In the case outlined [in the research], the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board,” the company said.
Kholia and Wegrzyn hope that others will help them build a more secure, open source method for using Dropbox that would be available for Dropbox to adopt.