How to bypass two factor authentication in Dropbox

Dropbox Two Factor Authentication Flaw

The research team at Q-Cert discovered a critical vulnerability that enables hackers to work around the two-factor security built into Dropbox.

Also known as Multi-factor authentication, Two Factor authentication is a security method that requires a user to provide two means of identification.

Just a password won’t suffice; instead, you need to enter both something you know, such as the password and something you have like a Bank Card PIN.

In Dropbox’s case, the two factors were the traditional username/password pair and a unique security code that could only be retrieved via SMS.

How to Break Two Factor Authentication in Dropbox

The hack is based on the fact that Dropbox doesn’t have good email validation.  For example, let’s say I know three things about you:

  1. You have a Dropbox account with email address imabouttobehacked@example.com.
  2. I know your sign-on password because I used social engineering tactics to trick you into giving it to me.
  3. But I also know you’re using two-factor authentication so I still can’t sign-on to your account.

Exploiting the Vulnerability

I signup for a Dropbox account with a a name identical to yours except I put a dot somewhere in my account name to make it slightly different.  So I use im.abouttobehacked@example.com.

Note the dot between the ‘m’ and the ‘a’.

Next, I enable two factor authentication for this bogus account and save the Emergency Backup code that Dropbox creates for me.  For this example, let’s say the code is this:

tv1d dfdv vvuv v34s

The Emergency Backup code is designed to give you an alternate way to sign into your accounts in case the second factor is no longer viable.  For example, if you lose your cell phone then you have no way of signing in because the second factor, your cell phone verification, is lost.

Now I have to sign-in to Dropbox with my victims account name and password.  When I enter my victims email address, imabouttobehacked.@example.com, since this user has two factor authentication, Dropbox will ask me to enter the Security Code that it sent to his phone.

All I need to do is click the I lost my phone link under the code submission text box.  A window appears asking me to enter my Emergency Backup code.

I enter MY backup code: tv1d dfdv vvuv v34s effectively disabling two factor authentication and completely owning my victim’s account.

Now all his files, photos, songs, and documents are mine.

The Bottom Line

Fortunately, the folks at Q-CERT worked with the security team at Dropbox to patch this flaw.  But I am a little aghast that Dropbox hasn’t posted anything about this on neither it’s regular nor tech blogs.

The most unnerving part is that Dropbox has over 100 million users expected to be 150 million by the close of the year.  It spans 500 million mobile devices and as of February 2013, accounts for 0.29% of global internet traffic.  In fact, Dropbox is so large that according to CEO Drew Houston, there are over one billion file uploads per day.  That’s one seventh of the worlds population in daily uploads!

Now think about that.

The thing that really bothers me is that people enable two factor authentication as an extra security mechanism.  Most of those 100 million Dropbox users don’t even know what it is, but those few scrupulous users who do, expect it to be an extra layer of security not a vector for exploitation.

It’s just disturbing that even big companies like this one make major mistakes that put millions of users at risk.  As users we need to be vigilant and shouldn’t think that our accounts are completely secure just because we’re using strong authentication methods like two-factor authentication.

About

Connect with Vonnie on Twitter

Posted in News Tagged with:
  • Pingback: Dropbox wants to replace your Hard Drive | fixedByVonnie()

  • xrzx

    So the fact that there is a dot in the user name (email) was completely ignored by their 2FA backup code-generation algorithm.
    Why on earth would they develop it that way?
    Very scary a company this big would allow something this stupid to happen.