Reversing Dropbox client code raises security issues

Researchers at last USENIX security symposium presented a new method and consolidated techniques for reversing Dropbox code to bypass Dropbox’s two factor authentication, hijack Dropbox accounts and intercept SSL data.

Reversing Dropbox analysis allowed researchers to crack its open cloud storage service, reverse engineering the encryption protecting the client it is possible to open it up to further security analysis.

Dropbox is a cloud based ﬁle storage service used by more than 100 million users, a security flaw could have serious repercussions.

During the last USENIX Security Symposium researchers Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters demonstrated how to use a code-injection attack to intercept SSL data and bypassing the two-factor authentication implemented for protection of Dropbox accounts. The attack allows the hijacking for Dropbox communication compromising the Dropbox security, the techniques proposed reverse engineer frozen Python applications, an approach that isn’t limited to just the Dropbox application.

“The client consists of a modiﬁed Python interpreter running obfuscated Python bytecode. However,Dropbox being a proprietary platform, no source code is available for these clients. Moreover, the API being used by the various Dropbox clients is not documented.”

Company representative refused to consider reversing Dropbox a vulnerability, a spokesperson confirmed to Threatpost their position:

“In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the spokesman said.

In effect the Reversing Dropbox is possible only if the attacker is able to compromise the client exploiting an existing vulnerability that could be executed remotely.

“Dropbox client has a handy feature which enables a user to login to Dropbox’s website without providing any credentials. This is done by selecting “Launch Dropbox Website” from the Dropbox tray icon. So, how exactly does the Dropbox client accomplish this? Well, two values, host_id and host_int are involved in this process. In fact, knowing host_id and host_int values that are being used by a Dropbox client is enough to access all data from that particular Dropbox account. host_id can be extracted from the encrypted SQLite database or from the target’s memory using various code injection techniques. host_int can be sniffed from Dropbox LAN sync protocol trafﬁc. While this protocol can be disabled, it is turned on by default. We have written an Ettercap plugin [8] to sniff the host_int value remotely on a LAN. It is also possible to extract this value from the target machine’s memory“

Another concerning discovery made by the researchers is that the two-factor authentication available to access Dropbox folder on the Web isn’t supported by the client software, the client can be accessed with a value known as host_ID which could be obtained by an attacker.

Researcher Kholia confirmed that their discovery is arrived as a side-effect of the research mainly focused on Reversing Dropbox, anyway the study raises serious question on the security of the popular web storage.

“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” “Dropbox will/should no longer be a black box.” said the expert Kholia.

Research on reversing Dropbox is not new but almost related to previous versions of the cloud storage, the researchers started from the analysis of API used by Dropbox client and they were able to decompile the Dropbox client source code and analyze it, in particular they were also able to use Reflective DLL injection and LD_PRELOAD on Windows and Linux to intercept SSL traffic.

“Once we are able to execute arbitrary code in Dropbox client context, we patch all SSL objects and are able to snoop on the data before it has been encrypted (on sending side) and after it has been decrypted (on receiving side),”“This is how we intercept SSL data. We have successfully used the same technique on multiple commercial Python applications.” the paper said.

Despite the results for reversing Dropbox the researcher confirmed their good opinion of the overall security level offered to the users.

“Overall, Dropbox is just fine,” “There is nothing to worry about. We are still using and loving it.” Kholia said.

Pierluigi Paganini

(Security Affairs – Hacking, Reversing Dropbox)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.