5 Comments

Summary:

Uh-oh. White hat hackers reverse engineer Dropbox client-side encryption … but it may not be as bad as it sounds

dropboxlogo
photo: Dropbox

In what could be a speed bump in  Dropbox’s drive to attract paying business customers, two researchers said they were able to reverse-engineer the encryption of the Dropbox client.

On the plus side from Dropbox’s perspective is that that the two, Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, clearly meant well, and presented their findings at the USENIX Security Conference this week. In other words, they are legit.

On the other hand, they proved it’s possible to untangle the Python code used to build Dropbox client encryption even though that code was “obfuscated” to make such reverse engineering difficult. And the publicity around that might make it harder for Dropbox to gain traction in businesses that are already wiggy about bringing the consumer fan fave — which they might think is insecure — in house.

The two engineers, as security blogger Michael Mimoso pointed out, also demonstrated “how to use code-injection techniques to intercept SSL data, essentially hijacking Dropbox communication, as well as bypass two-factor authentication used to protect accounts. “

Again, that doesn’t sound so good. It’s one thing for folks using a free version of Dropbox to read about this sort of thing, but if you’re a manager wanting to move your department to the paid Dropbox For Business version, such stories don’t bolster your position. In this case there definitely is such a thing as bad press.

In a statement, Dropbox said, it appreciated the engineers’ contributions but said these findings would have little impact in the real world.

” … we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

A TechRepublic story about the encryption issue used the same Dropbox statement to which the researchers replied that the Dropbox statement was correct:

“We have no problems with it. Reversing the Dropbox client was the main focus of our paper (the attacks are just ‘side-effects’). In order to hijack Dropbox accounts, you will need to leverage an existing vulnerability on the target user’s machine. Overall, Dropbox is just fine. There is nothing to worry about. We are still using and loving it.”

  1. Seems your title doesn’t match the article at all. The article states clearly it isn’t a problem at all.

    Share
    1. as the story states, reports of reverse engineering/hacks spook folks in companies who make buying decisions even if the problem is characterized as minor.

      I wrote: “It’s one thing for folks using a free version of Dropbox to read about this sort of thing, but if you’re a manager wanting to move your department to the paid Dropbox For Business version, such stories don’t bolster your position. In this case there definitely is such a thing as bad press.”

      Risk-averse IT buyers who already don’t want to try these consumer oriented technologies look for excuses not to sign on the bottom line. So i stand by the headline.

      thanks for your note.

      Share
      1. Agree with Barb in that IT buyers simply cannot afford to have a security breach, and if there’s the slightest chance, it will give them good reason to keep looking. While Dropbox is right that you have to have access to the actual client to hack it, what it does make me question how serious Dropbox is about security. Dropbox is great for syncing photos and non-essential documents, but for enterprise content, intellectual property, medical records, and PII, this discovery, along with previous security issues found in Dropbox, would make me pause as an IT buyer.

        Share
  2. This should be a problem for all. This is simple python code injection. The reverse engineering part is great! Wether you have the free version or not, your data should be secure. Moreover, gaining access to computers is much much more easy then you think. Lets begin with the fact that most users do not lock their screens, and with a windows machine as well as macs, there are plenty of attack vectors to get into your system without you even noticing. I think this is much bigger then it what you are making it out to be. Biggest concern, 2 factor authentication API, that is a big no no.

    Share
  3. Guys, check out the cloud storage Copy. It is excellent and cheaper than Dropbox. Copy is the new Dropbox now. I use both currently, but Copy offers you more space for free than Dropbox. Both are good and both come with the desktop client to sync your files to their cloud servers. Check it out and use this link to sign up for Copy to get 20GB free instead of the regular 15GB

    https://copy.com?r=DFygGq

    Share

Comments have been disabled for this post