No encryption is impenetrable. Hackers and researchers prove it every day, cracking some highly touted security measure thought to be too complex, too fortified to ever be breached.

The latest site to fall is Dropbox, the popular file-hosting service where more than 100 million users upload more than a billion files each day. Developers Dhiru Kholia and Przemyslaw Wegrzyn reverse-engineered Dropbox, a heavily obfuscated—or deliberately unintelligible—application, written in Python.

Once successfully reverse-engineered, the researchers were capable of hijacking Dropbox to intercept SSL traffic from its servers, bypass two-factor authentication and create open-source Dropbox clients. Of course they didn’t; they’re researchers, not hackers.

They did however describe their reverse-engineering method step by step, giving anyone with enough skill the knowledge to try the same method with any of the countless other sites, programs and applications written in Python: NASA, Minecraft, Django, OpenStack and a host of Google products, to name just a few.

“We show how to unpack, decrypt and decompile Dropbox from scratch and in full detail,” they wrote in their research paper. “This paper presents new and generic techniques to reverse-engineer frozen Python applications. Once you have the de-compiled source code, it is possible to study how Dropbox works in detail.”

Kholia and Wegrzyn presented the paper, “Looking inside the (drop) box,” at USENIX 2013, explaining how they were able to best the heavily obfuscated code.

“The client consists of a modified Python interpreter [that is] running obfuscated Python bytecode,” they wrote. “However, Dropbox being a proprietary platform, no source code is available for these clients. Moreover, the API being used by the various Dropbox clients is not documented.”

Kholia and Wegrzyn have noticed, however, that Dropbox shored up many of its attack vulnerabilities with each successive update. A hole in the “Launch Dropbox Website” feature, for instance, has been patched since the researchers exploited it.

About Rob Marvin

Rob Marvin has covered the software development and technology industry as Online & Social Media Editor at SD Times since July 2013. He is a 2013 graduate of the S.I. Newhouse School of Public Communications at Syracuse University with dual degrees in Magazine Journalism and Psychology. Rob enjoys writing about everything from features, entertainment, news and culture to his current work covering the software development industry. Reach him on Twitter at @rjmarvin1.