Matt Posted August 29, 2013 Report Share Posted August 29, 2013 A couple of security researchers have set spines shivering in the cloud world by demonstrating that Dropbox's obfuscated code can be reverse-engineered, along the way capturing SSL data from the service's cloud and bypassing the two-factor authentication used to secure user data.However, as is clear from the Usenix research paper and has been confirmed by Dropbox, their work doesn't create a generic attack vector. The attacks only work if the attacker already has unfettered access to the target machine.As Dropbox puts it: “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.” (More on this in a minute.)Perhaps the most interesting aspect of the work by Openwall's Dhiro Kholia and CodePainters' Przemyslaw Wegrzyn is that they were able to reverse-engineer the heavily protected Dropbox Python code.“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” they write. As a result, they say, it should be possible for researchers to subject Dropbox to more rigorous security analysis.The researchers also observe that Dropbox's two-factor authentication, used for accessing its Website, is not supported in the client software. “This implies that it is suf?cient to have only the host_id value to gain access to the target’s data stored in Dropbox.”However, the host_id value is stored on the local machine in an encrypted SQLite database – meaning it can only be recovered by someone with access to that machine. ®Source TheRegister.CO.Uk Quote Link to comment Share on other sites More sharing options...
