Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

How to bypass two factor authentication in Dropbox - fixedByVonnie

How to bypass two factor authentication in Dropbox

Dropbox Two Factor Authentication Flaw

The research team at Q-Cert discovered a critical vulnerability that enables hackers to work around the two-factor security built into Dropbox.

Also known as Multi-factor authentication, Two Factor authentication is a security method that requires a user to provide two means of identification.

Just a password won’t suffice; instead, you need to enter both something you know, such as the password and something you have like a Bank Card PIN.

In Dropbox’s case, the two factors were the traditional username/password pair and a unique security code that could only be retrieved via SMS.

How to Break Two Factor Authentication in Dropbox

The hack is based on the fact that Dropbox doesn’t have good email validation.  For example, let’s say I know three things about you:

  1. You have a Dropbox account with email address imabouttobehacked@example.com.
  2. I know your sign-on password because I used social engineering tactics to trick you into giving it to me.
  3. But I also know you’re using two-factor authentication so I still can’t sign-on to your account.

Exploiting the Vulnerability

I signup for a Dropbox account with a a name identical to yours except I put a dot somewhere in my account name to make it slightly different.  So I use im.abouttobehacked@example.com.

Note the dot between the ‘m’ and the ‘a’.

Next, I enable two factor authentication for this bogus account and save the Emergency Backup code that Dropbox creates for me.  For this example, let’s say the code is this:

tv1d dfdv vvuv v34s

The Emergency Backup code is designed to give you an alternate way to sign into your accounts in case the second factor is no longer viable.  For example, if you lose your cell phone then you have no way of signing in because the second factor, your cell phone verification, is lost.

Now I have to sign-in to Dropbox with my victims account name and password.  When I enter my victims email address, imabouttobehacked.@example.com, since this user has two factor authentication, Dropbox will ask me to enter the Security Code that it sent to his phone.

All I need to do is click the I lost my phone link under the code submission text box.  A window appears asking me to enter my Emergency Backup code.

I enter MY backup code: tv1d dfdv vvuv v34s effectively disabling two factor authentication and completely owning my victim’s account.

Now all his files, photos, songs, and documents are mine.

The Bottom Line

Fortunately, the folks at Q-CERT worked with the security team at Dropbox to patch this flaw.  But I am a little aghast that Dropbox hasn’t posted anything about this on neither it’s regular nor tech blogs.

The most unnerving part is that Dropbox has over 100 million users expected to be 150 million by the close of the year.  It spans 500 million mobile devices and as of February 2013, accounts for 0.29% of global internet traffic.  In fact, Dropbox is so large that according to CEO Drew Houston, there are over one billion file uploads per day.  That’s one seventh of the worlds population in daily uploads!

Now think about that.

The thing that really bothers me is that people enable two factor authentication as an extra security mechanism.  Most of those 100 million Dropbox users don’t even know what it is, but those few scrupulous users who do, expect it to be an extra layer of security not a vector for exploitation.

It’s just disturbing that even big companies like this one make major mistakes that put millions of users at risk.  As users we need to be vigilant and shouldn’t think that our accounts are completely secure just because we’re using strong authentication methods like two-factor authentication.


Connect with Vonnie on Twitter

Posted in News Tagged with:
  • Pingback: Dropbox wants to replace your Hard Drive | fixedByVonnie()

  • xrzx

    So the fact that there is a dot in the user name (email) was completely ignored by their 2FA backup code-generation algorithm.
    Why on earth would they develop it that way?
    Very scary a company this big would allow something this stupid to happen.

  • Mehras

    I also had the 16digit code. But it needs me to enter a 8digit backup code.