Dropbox Responds To Security Researcher Hack - HotHardware
Dropbox Responds To Security Researcher Hack

Dropbox Responds To Security Researcher Hack

Yesterday, we reported that two security researchers successfully reverse-engineered Dropbox, intercepting SSL traffic and bypassing its two-factor authentication. The duo that did it, Dhiru Kholia and Przemyslaw Wegrzyn, wrote a paper on the process and said that although Dropbox has been quick to plug any holes in its security, the service is still vulnerable to attacks such as the one they discovered.

Dropbox disagrees somewhat with Kholia’s and Wegrzyn’s assessment, however. "We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a Dropbox spokesperson told us today. “However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board."


The spokesperson did not clarify what was meant by “compromised”; we’ve reached out for additional comment.

Regardless whether it’s the Dropbox client or the computer itself, it’s disconcerting that a hacker could do what Kholia and Wegrzyn did.
+ -

The way the bypass works is that the client relies on a host-ID, which means that you only log on with 2-factor authentication once and then mark it as 'trusted'.

The reason the host PC must be compromised is to get that Host-ID.

The SSL traffic is done by code injection, a method called "monkey patching."

These are all possible only when someone already has access to a system, and in such case, should hardly be Dropbox' fault.

Login or Register to Comment
Post a Comment
Username:   Password: