Two security researchers claim they have found a vulnerability in cloud storage provider Dropbox’s code that would allow hackers to gain direct access to users’ data.
Dropbox's desktop apps are written in obfuscated Python code, meaning that is has been render incomprehensible to humans.
But Dhiru Kholia, a researcher at the University of British Colombia, and Przemyslaw Wegrzyn, of software development agency Codepainters, claim they decrypted the Dropbox code using various reverse engineering techniques.
See also: Dropbox confirms security breach
Having decrypted the source code, the researchers found two security vulnerabilities that would allow hackers to remotely access Dropbox accounts. One of these was patched by Dropbox, but the other – which involves injecting a snippet of Python code into the Dropbox application – is harder to deter, the researchers claim.
Dropbox itself pointed out that in order for this attack to work, a hacker would need to have remote access to their target's PC. "In the case outlined here, the user's computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board," a Dropbox spokesperson said.
Kholia and Wegrzyn said the main purpose of their research was to encourage Dropbox to be more transparent about the way its application works, so that security researchers can identify potential exploits.
See also: Exposing the cracks in cloud security
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” Kholia and Wegrzyn wrote in their paper. “Dropbox will / should no longer be a black box.”
They also said that the research could be used to build open-source clients for the Dropbox platform.