p*******m
发帖数: 20761 | 1 Developers hack Dropbox, show how to access user data
The cloud storage provider's two-factor authentication was bypassed to gain
access to user data
By Lucas Mearian, Computerworld
August 28, 2013 03:05 PM ET
Add a comment Print
inShare
Computerworld - Two developers have cracked Dropbox's security, even
intercepting SSL data from its servers and bypassing the cloud storage
provider's two-factor authentication, according to a paper they published at
USENIX 2013.
"These techniques are generic enough and we believe would aid in future
software development, testing and security research," the paper says in its
abstract.
[KICK OFF: How Tech is Transforming the NFL]
Dropbox, which claims more than 100 million users upload more than a billion
files daily, said the research didn't actually represent a vulnerability in
its servers.
"We appreciate the contributions of these researchers and everyone who helps
keep Dropbox safe," a spokesperson said in an email reply to Computerworld.
"In the case outlined here, the user's computer would first need to have
been compromised in such a way that it would leave the entire computer, not
just the user's Dropbox, open to attacks across the board."
The two developers, Dhiru Kholia, with the Openwall open source project ,
and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered
Dropbox, an application written in Python.
"Our work reveals the internal API used by Dropbox client and makes it
straightforward to write a portable open-source Dropbox client," the paper
states. "Additionally, we show how to bypass Dropbox's two-factor
authentication and gain access to users' data."
The paper presents "new and generic techniques to reverse engineer frozen
Python applications, which are not limited to just the Dropbox world," the
developers wrote.
The researchers described in detail how they were able to unpack, decrypt
and decompile Dropbox from scratch. And, once someone has de-compiled its
source code, how "it is possible to study how Dropbox works in detail.
"We describe a method to bypass Dropbox's two-factor authentication and
hijack Dropbox accounts. Additionally, generic techniques to intercept SSL
data using code injection techniques and monkey patching are presented," the
developers wrote in the paper.
The process they used included various code injection techniques and monkey-
patching to intercept SSL data in a Dropbox client. They also used the
techniques successfully to snoop on SSL data in other commercial products as
well, they said.
The developers are hoping their white hat hacking prompts Dropbox to open
source its platform so that it is no longer a "black box."
"We hope that our work inspires the security community to write an open-
source Dropbox client, rene the techniques presented in this paper and
conduct research into other cloud-based storage systems," they said.
Lucas Mearian covers storage, disaster recovery and business continuity,
financial services infrastructure and health care IT for Computerworld.
Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed.
His e-mail address is l******[email protected]. | m**x
发帖数: 245 | 2 有BUG很正常
gain
at
【在 p*******m 的大作中提到】
: Developers hack Dropbox, show how to access user data
: The cloud storage provider's two-factor authentication was bypassed to gain
: access to user data
: By Lucas Mearian, Computerworld
: August 28, 2013 03:05 PM ET
: Add a comment Print
: inShare
: Computerworld - Two developers have cracked Dropbox's security, even
: intercepting SSL data from its servers and bypassing the cloud storage
: provider's two-factor authentication, according to a paper they published at
|
|
