Researchers Gain Access To Protected Dropbox Source Code

Two programmers reverse-engineer the client written in obfuscated Python, enabling new attack vectors

Researchers have reverse-engineered the proprietary client of the popular cloud hosting service Dropbox to get to its source code.

Dhiru Kholia and Przemyslaw Wegrzyn have managed to unpack, decrypt and decompile the application written in obfuscated Python. They say their method could be applied to reverse-engineer other “frozen” Python applications.

The findings could make it easier for an attacker to bypass two-factor authentication or create malicious Dropbox client look-alikes. However, a statement from the company has noted that the avaliability of the source code itself does not present a security issue.

The paper entitled “Looking inside the (drop) box” was presented at the USENIX 2013 conference in Washington.

Arms race

For years, Dropbox, now a $10 billion business, has carefully guarded its application source code against both competitors and hackers. Even the APIs used by the cloud hosting service are not officially documented. The company has been accused of practicing “security through obscurity” – actively hiding the inner workings of its client from the public, hoping that the lack of information will keep it safe.

Maksim Kabakou“We show how to unpack, decrypt and decompile Dropbox from scratch and in full detail,” wrote Kholia and Wegrzyn. “This paper presents new and generic techniques to reverse-engineer frozen Python applications. Once you have the de-compiled source code, it is possible to study how Dropbox works in detail.”

Researchers believe that despite its popularity, Dropbox hasn’t been “analysed extensively enough from a security standpoint”. They also say that going to extreme lengths to protect the source code is doing the service more harm than good. In the paper, Kholia and Wegrzyn describe the design and implementation of an open-source version of Dropbox client.

“We wonder what Dropbox aims to gain by employing such anti-reversing measures,” reads the research paper. “Most of Dropbox’s ‘secret sauce’ is on the server-side, which is already well protected. We do not believe these anti-reverse-engineering measures are beneficial for Dropbox users and for Dropbox.”

According to security expert Robert Schifreen, suddenly opening up the source code is dangerous as it could allow the creation of malicious look-alike applications that collect login credentials and do other things besides hosting your files. “[These are] the perils of writing and distributing interpreted code, even if obfuscated,” Schifreen told TechWeekEurope.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” said a statement from Dropbox. “However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The sudden change could be beneficial for the company in the long run, helping Dropbox build a more resilient client. “We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will/should no longer be a black box,” wrote Kholia and Wegrzyn.

How well do you know open source software? Take our quiz!