Yesterday, we reported that two security researchers
Dropbox, intercepting SSL traffic and bypassing its two-factor authentication
. The duo that did it, Dhiru Kholia and Przemyslaw Wegrzyn, wrote a paper on the process and said that although Dropbox
has been quick to plug any holes in its security, the service is still vulnerable to attacks such as the one they discovered.
Dropbox disagrees somewhat with Kholia’s and Wegrzyn’s assessment, however. "We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a Dropbox spokesperson told us today. “However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board."
The spokesperson did not clarify what was meant by “compromised”; we’ve reached out for additional comment.
Regardless whether it’s the Dropbox client or the computer itself, it’s disconcerting that a hacker could do what Kholia and Wegrzyn did.