Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 16 Aug 2013 03:21:30 +0400
From: Solar Designer <>
Subject: [openwall-announce] Looking inside the (Drop) box


We've just posted online our USENIX WOOT '13 slides and paper entitled
"Looking inside the (Drop) box" (Security Analysis of Dropbox), by Dhiru
Kholia (Openwall and University of British Columbia) and Przemyslaw
Wegrzyn (CodePainters):

Dhiru presented this material at WOOT in Washington D.C. on August 13.

Also available via a link from the page above is the corresponding
source code (dedrop).

Here's the abstract:

"Dropbox is a cloud based file storage service used by more than 100
million users.  In spite of its widespread popularity, we believe that
Dropbox as a platform hasn't been analyzed extensively enough from a
security standpoint.  Also, the previous work on the security analysis of
Dropbox has been heavily censored.  Moreover, the existing Python
bytecode reversing techniques are not enough for reversing hardened
applications like Dropbox.

This paper presents new and generic techniques, to reverse engineer
frozen Python applications, which are not limited to just the Dropbox
world.  We describe a method to bypass Dropbox's two factor authentication
and hijack Dropbox accounts.  Additionally, generic techniques to
intercept SSL data using code injection techniques and monkey patching
are presented.

We believe that our biggest contribution is to open up the Dropbox
platform to further security analysis and research.  Dropbox will/should
no longer be a black box.  Finally, we describe the design and
implementation of an open-source version of Dropbox client (and yes, it
runs on ARM too)."



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.