In what could be a speed bump in Dropbox’s drive to attract paying business customers, two researchers said they were able to reverse-engineer the encryption of the Dropbox client.
On the plus side from Dropbox’s perspective is that that the two, Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, clearly meant well, and presented their findings at the USENIX Security Conference this week. In other words, they are legit.
On the other hand, they proved it’s possible to untangle the Python code used to build Dropbox client encryption even though that code was “obfuscated” to make such reverse engineering difficult. And the publicity around that might make it harder for Dropbox to gain traction in businesses that are already wiggy about bringing the consumer fan fave — which they might think is insecure — in house.
The two engineers, as security blogger Michael Mimoso pointed out, also demonstrated “how to use code-injection techniques to intercept SSL data, essentially hijacking Dropbox communication, as well as bypass two-factor authentication used to protect accounts. “
Again, that doesn’t sound so good. It’s one thing for folks using a free version of Dropbox to read about this sort of thing, but if you’re a manager wanting to move your department to the paid Dropbox For Business version, such stories don’t bolster your position. In this case there definitely is such a thing as bad press.
In a statement, Dropbox said, it appreciated the engineers’ contributions but said these findings would have little impact in the real world.
” … we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
A TechRepublic story about the encryption issue used the same Dropbox statement to which the researchers replied that the Dropbox statement was correct:
“We have no problems with it. Reversing the Dropbox client was the main focus of our paper (the attacks are just ‘side-effects’). In order to hijack Dropbox accounts, you will need to leverage an existing vulnerability on the target user’s machine. Overall, Dropbox is just fine. There is nothing to worry about. We are still using and loving it.”