Dropbox has had its share of security woes. One day, wayward code breaks authentication protocols. Another time, user logins get stolen from third-party sites. Now it's a couple of researchers stretching their hacking muscles and proving they could lay waste to Dropbox's security measures.
For users, this may be genuinely alarming news—particularly for those who depend on Dropbox heavily. I certainly do. So perhaps I should feel upset or unnerved by this. But I'm not. At all.
How Dropbox Got Ripped Open
What's clear is that these researchers have no bad intentions. Dhiru Kholia and Przemyslaw Wegrzyn, authors of the paper "Looking inside the (Drop) box" (PDF), just wanted to prove they could do it. And they did. They wowed the developer community by reverse engineering the cloud storage service's desktop application.
Reverse engineering, or figuring out an app's development by working backwards starting with its finished product, is a fairly common practice. But few thought Dropbox could be vulnerable to it.
The app was written in Python and relied heavily on obfuscation, meaning it was intentionally designed to conceal source code. But that didn't stop Kholia and Wegrzyn. They write:
We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.
In other words, they were able to make modifications without altering Dropbox's original source code. They also exploited the “Launch Dropbox Website” feature, an item located in the Windows system tray that lets users auto-login to the website. The handling of that in the current version of Dropbox is more secure than in the previous ones, but legacy users could still be at risk of having their accounts breached.
This is an impressive feat, even if it is fraught with some scary potential. The team showed that it's possible to blast through Drobox's two-step login security, hijack accounts and expose code that could allow crafty hackers to devise some ingenious (or malicious) programs.
Fortunately, the researchers have no mischief in mind. They only wanted to prove a point: Blocking access to underlying code doesn't necessarily stop hacks. All it does is impede well-meaning developers from vetting it properly.
Prepping For Cloudy Days
Of course, that doesn't mean some black-hat hacker won't use these exploits to plunder Dropbox users' data. That's no small matter, considering the company has 175 million users.
That's a lot of gigabytes pulsing through the Dropbox cloud. For my part, I make sure that my most sensitive information isn't among them. I store important logins and other personal data locally (either in my laptop or on an external drive). Some files, of medium importance, get either encrypted or password protected. What remains is detritus or items of lower priority.
I may be atypical, but while I like and use services like Dropbox for convenience, I do so knowing they aren't impregnable. In fact, I operate under the assumption that hacks and breaches are inevitable. That's either paranoid or savvy, depending on your point of view. Either way, it offers some peace of mind whenever the clouds get a little stormy.
Feature image courtesy of Flickr user Derek Key
UPDATE: I reached out to Dropbox for a comment, and received the following via email from a company spokesperson:
We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.
Yet another reason to secure those computers. Spread the word.