Looking Inside the (Drop) Box!

Dropbox is a cloud based file storage service used by more than millions of users. The security of the dropbox was not analyzed properly. Recently, I came across a paper titled Looking inside (Drop)box which was presented at USENIX. Paper explains how to reverse engineer the Dropbox client application and extracts the algorithm. Dropbox clients are mostly written in python. The author of the paper, Dhiru Kholia has uploaded the essential scripts required to reverse engineer the Dropbox. Seems unbelievable and interesting right?

In his paper, we show how to unpack, decrypt and decompile Dropbox from scratch and in full detail. This paper presents new and generic techniques to reverse engineer frozen Python applications. Once you have the decompiled source-code ,it is possible to study how Dropbox works in detail. The authors have mentioned about breaking the two factor authentication used in Dropbox and also hijacking Dropbox accounts. As I am a beginner in RE, I haven’t looked into it further.

For readers still with puzzled thoughts, you may be new to the world of Reverse Engineering. Reverse Engineering is the process of obtaining/modifying source codes from the compiled binaries. Get familiar with reverse engineering by exploring the below softwares:

1) IDA PRO
2)Olly Dbg

For others, scripts are ready for you to explore the core of dropbox and its working.What are you waiting for? Git clone the repository and have your hands hacking on it!

Resources:

GitHub Link : https://github.com/kholia/dedrop

There is also a presentation on the vulnerability proposed . You can view it here

For a video regarding the exploitation procedure , see this link

Leave a Reply

Your email address will not be published. Required fields are marked *