No encryption is impenetrable. Hackers and researchers prove it every day, cracking some highly touted security measure thought to be too complex, too fortified to ever be breached.
The latest site to fall is Dropbox, the popular file-hosting service where more than 100 million users upload more than a billion files each day. Developers Dhiru Kholia and Przemyslaw Wegrzyn reverse-engineered Dropbox, a heavily obfuscated—or deliberately unintelligible—application, written in Python.
Once successfully reverse-engineered, the researchers were capable of hijacking Dropbox to intercept SSL traffic from its servers, bypass two-factor authentication and create open-source Dropbox clients. Of course they didn’t; they’re researchers, not hackers.
They did however describe their reverse-engineering method step by step, giving anyone with enough skill the knowledge to try the same method with any of the countless other sites, programs and applications written in Python: NASA, Minecraft, Django, OpenStack and a host of Google products, to name just a few.
“We show how to unpack, decrypt and decompile Dropbox from scratch and in full detail,” they wrote in their research paper. “This paper presents new and generic techniques to reverse-engineer frozen Python applications. Once you have the de-compiled source code, it is possible to study how Dropbox works in detail.”
“The client consists of a modiﬁed Python interpreter [that is] running obfuscated Python bytecode,” they wrote. “However, Dropbox being a proprietary platform, no source code is available for these clients. Moreover, the API being used by the various Dropbox clients is not documented.”
Kholia and Wegrzyn have noticed, however, that Dropbox shored up many of its attack vulnerabilities with each successive update. A hole in the “Launch Dropbox Website” feature, for instance, has been patched since the researchers exploited it.