Two hackers are reporting, in a paper they published at USENIX 2013 conference, that they have found more security problems for Dropbox. Using a code published along with their other findings, were even able to intercept SSL data from the Dropbox servers, completely bypassing the two-factor authentication system.
The paper, which reports that the purpose of the project is to aid in future development of advanced security systems for software programs such as Dropbox.
This is not the first time that hackers have exposed vulnerabilities in the Dropbox system by academic researchers. A previous security vulnerability was discussed in a previous article.
Dropbox, which according to the American Bar Association is the preferred cloud-based data storage provider for attorneys, claims over 100 million users worldwide, reporting upward of one billion file uploads daily. PR representatives from Dropbox claim that the research does not actually demonstrate any vulnerabilities in their system.
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email reply to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
The authors of the paper, Dhiru Kholia, with the Openwall open source project and a faculty member at the University of British Columbia, and Przemyslaw Wegrzyn, with CodePainters, reported that they do not believe that Dropbox has not been adequately analyzed for security.
Their system, detailed in a recent PC World article, is based on reverse-engineering the Dropbox program. Using the reverse engineering, they were able to decrypt and unpack the Dropbox program. Once unpacked, the hackers were able to view, in great detail, how the Dropbox system works.
This type of hack, which is referred to as “white hat hacking,” is an attempt by the hackers to induce Dropbox to change its program to open-source security. Currently, the hackers write, the Dropbox program is a “black hat” program. However, the intentions of the hackers are not directed solely at Dropbox, but the entire security industry.
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and re- search. Dropbox will / should no longer be a black box,” the report states.
It is unclear what impact this type of hack will have on regular Dropbox users. From questions about the vulnerability of specific users’ information, to the potential vulnerability of the Dropbox platform generally. One of the biggest questions for attorneys, outside of the general requirement that confidential information must be secure, must be whether information will be available upon demand. Remember, most state ethics boards require that a client’s file be readily available, should the client demand it.