Reversing Dropbox client code raises security issues

Pierluigi Paganini September 02, 2013

Researchers at last USENIX security symposium presented a new method and consolidated techniques for reversing Dropbox code to bypass Dropbox’s two factor authentication, hijack Dropbox accounts and intercept SSL data.

Reversing Dropbox analysis allowed researchers to crack its open cloud storage service, reverse engineering the encryption protecting the client it is possible to open it up to further security analysis.

Dropbox is a cloud based file storage service used by more than 100 million users, a security flaw could have serious repercussions.

During the last USENIX Security Symposium researchers Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters demonstrated how to use a code-injection attack to intercept SSL data and bypassing the two-factor authentication implemented for protection of Dropbox accounts. The attack allows the hijacking for Dropbox communication compromising the Dropbox security, the techniques proposed reverse engineer frozen Python applications, an approach that isn’t limited to just the Dropbox application.

“The client consists of a modified Python interpreter running obfuscated Python bytecode. However,Dropbox being a proprietary platform, no source code is available for these clients. Moreover, the API being used by the various Dropbox clients is not documented.”

Reversing Dropbox client

Company representative refused to consider reversing Dropbox a vulnerability, a spokesperson confirmed to Threatpost their position:

“In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the spokesman said.

In effect the Reversing Dropbox is possible only if the attacker is able to compromise the client exploiting an existing vulnerability that could  be executed remotely.

Dropbox client has a handy feature which enables a user to login to Dropbox’s website without providing any credentials. This is done by selecting “Launch Dropbox Website” from the Dropbox tray icon. So, how exactly does the Dropbox client accomplish this? Well, two values, host_id and host_int are involved in this process. In fact, knowing host_id and host_int values that are being used by a Dropbox client is enough to access all data from that particular Dropbox account. host_id can be extracted from the encrypted SQLite database or from the target’s memory using various code injection techniques. host_int can be sniffed from Dropbox LAN sync protocol traffic. While this protocol can be disabled, it is turned on by default. We have written an Ettercap plugin [8] to sniff the host_int value remotely on a LAN. It is also possible to extract this value from the target machine’s memory

Another concerning discovery made by the researchers is that the two-factor authentication available to access Dropbox folder on the Web isn’t supported by the client software, the client can be accessed with a value known as host_ID which could be obtained by an attacker.

Researcher Kholia confirmed that their discovery is arrived as a side-effect of the research mainly focused on Reversing Dropbox, anyway the study raises serious question on the security of the popular web storage.

“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” “Dropbox will/should no longer be a black box.” said the expert Kholia.

Research on reversing Dropbox is not new but almost related to previous versions of the cloud storage, the researchers started from the analysis of API used by Dropbox client and they were able to decompile the Dropbox client source code and analyze it, in particular they were also able to use Reflective DLL injection and LD_PRELOAD on Windows and Linux to intercept SSL traffic.

“Once we are able to execute arbitrary code in Dropbox client context, we patch all SSL objects and are able to snoop on the data before it has been encrypted (on sending side) and after it has been decrypted (on receiving side),”“This is how we intercept SSL data. We have successfully used the same technique on multiple commercial Python applications.”  the paper said. 

Despite the results for reversing Dropbox the researcher confirmed their good opinion of the overall security level offered to the users.

“Overall, Dropbox is just fine,” “There is nothing to worry about. We are still using and loving it.” Kholia said.

Pierluigi Paganini

(Security Affairs – Hacking, Reversing Dropbox)



you might also like

leave a comment