Security researchers have published a research paper on how they bypassed the security features of cloud-based storage service Dropbox and gained access to private user files.
Dhiru Kholia of Openwall and Przemysław Wegrzyn of CodePainters said although service has more than 100 million users, the platform had previously not been analysed extensively enough from a security standpoint.
The said their goal is to get Dropbox to create an open source version, which would mean that anyone could look at its code and verify that the service is secure.
The researchers said they were able to gain unauthorised access to files, despite the fact that Dropbox added security features after it was hacked a year ago.
Security measures aimed at attracting enterprise users included encryption and two-factor authentication, but both were bypassed by Kholia and Wegrzyn.
They were able to reverse engineer the portion of Dropbox that runs on a user’s computer, despite the fact that Dropbox was written in Python using techniques aimed at preventing reverse engineering.
The means that many other cloud services that use Python and the same anti-hacking techniques could be at risk, according to Business Insider.
The researchers said they found that two-factor authentication as used by Dropbox protects only against unauthorised access to the Dropbox’s website.
“The Dropbox internal client API does not support or use two-factor authentication.
This implies that it is sufficient to have only the host_id value to gain access to the target’s data stored in Dropbox,” they said.
However, Dropbox has issued a statement, saying it does not believe that the research presents a vulnerability in the Dropbox client.
“In the case outlined [in the research], the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the company said.
Kholia and Wegrzyn hope that others will help them build a more secure, open source method for using Dropbox that would be available for Dropbox to adopt.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com