It's easy to think of Dropbox, the online file delivery system, as a pillar of security. But as is so often the case these days, most anything with a security system can be broken into given enough time, effort and resources, and a pair of security researchers took to Dropbox to prove just that.
The two researchers—Openwall's Dhiru Kholia and CodePainters' Przemyslaw Wegrzyn—were out to get Dropbox to put up an open source version of its own operations, so that users could get a better look at the code powering its systems and confirm that, indeed, the service was as secure as it seemed to be. But the duo quickly proved that Dropbox wasn't quite that safe after all—part of the duo's released paper on how the hacking was accomplished noted that “Dropbox will/should no longer be a black box”—and this is prompting a serious look at Dropbox's overall security.
Image via Shutterstock
Specifically noteworthy about this particular takedown, meanwhile, was that Dropbox only recently added a set of new security features designed to protect its user base after the site was hacked around a year ago. This in turn was designed to draw in more paying customer interest, especially from enterprise users that needed a way to pass around larger files in aid of a mobile workforce. Dropbox even went so far as to bring in both encryption technology and a two-factor authentication system, popular as it requires a second point of access in order to get into files.
The researchers, however, managed to not only disable both of those protective barriers, but the duo also managed to “reverse engineer” the part of Dropbox that runs on users' computers. The duo actually managed to see Dropbox's source code, something that was supposed to be impossible, especially considering that Dropbox was specifically written, using Python and a set of specialized techniques, to prevent efforts at reverse engineering.
Dropbox, oddly, seems unconcerned about this, and a spokesperson reportedly offered a statement saying, “We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.”
But what's particularly noteworthy here is that reverse engineering bit; many cloud services are written using that same combination of Python and specific techniques geared toward preventing reverse engineering. This new development suggests that there may be risks for these services as well, though the risks may not be so bad, especially if the aforementioned statement is any indication.
Everyone wants safe Web services. No one wants e-mails exposed or documents intercepted and passed around; that's a good chunk of what got everyone so concerned about the PRISM affair. But by like token, Dropbox's response seems fairly rational. The circumstances were surrounding the security researchers' hacking attempt are somewhat complex, at least for non-experts—and may not be readily duplicated even with the paper published. Though the ultimate goal here is to make safer Web services, and perhaps Dropbox is being a little quick to dismiss the findings. Still, it's a safe bet that there will always be individuals looking for ways to break security, and companies looking for ways to respond to these breaks, giving us all overall a safer online experience.
Edited by Alisen Downey