

Bypassing Two-Factor Authentication for Dropbox - rdl
http://www.qcert.org/alerts/bypassing-2-factor-authentication-dropbox

======
rdl
Since the Q-CERT site is 503ing:

[http://www.slashgear.com/dropbox-hack-allows-bypass-of-
two-f...](http://www.slashgear.com/dropbox-hack-allows-bypass-of-two-factor-
authentication-05289228/)

"It turns out that as long as someone has the username and password of your
Dropbox account, they can bypass the two-factor authentication and log right
into your account with a couple of clever tricks. Since Dropbox doesn’t verify
email addresses when users sign up for a new account, a hacker can use a new
email address that’s similar to an existing one by placing a period in
somewhere, similar to how Gmail addresses work.

For this fake account, two-factor authentication is enabled and an emergency
code is generated in case users ever lose their phone. The hacker will then
login to the victim’s account, but will be prompted to enter the code for that
account. However, the hacker will simply select that the victim lost their
phone and they’ll be promoted for that emergency code.

Since the email address that the hacker signed up with is similar to the
victim’s email address. the emergency code will work on the victim’s account.
From there, the hacker can disable two-factor authentication and gain access
into the victim’s Dropbox account. This is because that
“baseballboy@yahoo.com” is registered as being the same
“baseball.boy@yahoo.com,” just like how Gmail handles email addresses.

Of course, you have to know the user’s password before you can do this, but
once you get a hold of it, it seems relatively easy to bypass Dropbox’s two-
factor authentication. However, the security team that found the vulnerability
is already said to be working with Dropbox to fix the bug."

~~~
jmharvey
Interesting. It seems like there are two separate issues here:

(1) Dropbox is inconsistent about whether it ignores dots in the local part of
an email address, and in some cases blurs the line between accounts with
similar emails. If true, this needs to be fixed.

and

(2) Dropbox doesn't really use two-factor authentication, in the usual sense
of "something you know plus something you have." I'm guessing this is due to
their users liking the idea of having two-factor authentication, but in
practice want to be able to access their account even if their phone is lost.
So it turns into "something you know plus something you know." I'm inclined to
think that this kind of not-really-two-factor-authentication is actually the
correct approach for the kind of data you store on Dropbox, but it's something
to think about when you're designing an account-recovery protocol.

~~~
jervisfm
Dropbox is a cloud provider that hosts critical information for many people.
Given this nature of their business, I'd expect that security is actually
their number one primary focus (even beyond new features I'd say).

With regards to point number 1, I don't understand how that bug could have
existed uncaught. Yes, security is hard but when you're storing the most
personal user data, you're obliged to make sure you actually keep it safe and
protect it from unauthorized access.

Yet, with Dropbox, it appears that every so often that some time goes by, and
we have yet another security issue. The worst I remember was when for a window
of time, _anyone_ could login to _any_ dropbox user account without entering a
valid password. No password. Just a valid username and you're in.

It's interesting to note that issue too had to do with authentication and
authorization. Maybe it's time Dropbox should spend some time auditing their
code to find other similar issues just waiting to be discovered?

~~~
MichaelGG
I would not expect security to rank as their number one thing. Usability is
probably the primary, outranking, engineering goal. Security as a prime
requirement would place client-side encryption over other goals, which they do
not.

As you pointed out, dropbox has shown they're not very secure. They lied about
their server-side encryption too. But no one cares. It's far more profitable
to make a reasonable pass at security, then try to deliver on the user
experience and marketing.

~~~
rdl
They're sufficiently bad at security that I actively discourage people from
using Dropbox for anything but personal toy stuff. Since their future revenue
expansion seems to be tied to "dropbox for teams", not fixing security is a
major problem for them, since any competent auditor would have similar
concerns about dropbox (not just "dropbox can see your files", but the other
access controls and auditing/logging dropbox doesn't support.) Box also sucks
for security, but slightly less.

Everyone I know in a security-conscious environment uses something else.
Sadly, often MS Sharepoint. There are some big advantages to a system like
Dropbox, but aside from some small startups, nothing in that space I'd
actually recommend for business use.

~~~
cybspi
There are more security conscious applications that have usability better than
sharepoint, take for instance adeptCloud, it works pretty much like dropbox
but the backing store of data is on the business premise instead of in S3.

------
corylouie
This issue was reported to Dropbox and promptly fixed over 3 weeks ago. We
appreciate the contributions of this researcher and everyone who helps keep
Dropbox safe.

~~~
gaadd33
Link? Was there any disclosure about this from Dropbox?

~~~
frew
corylouie is on Dropbox's security team.

(I work for Dropbox but don't speak for it in this capacity)

~~~
daeken
Disclosing a fairly significant (albeit very niche) vulnerability like this
via a comment on HN 3 weeks later isn't really best practice. Was there a
disclosure prior to this post going up?

~~~
rpearl
This HN post is a link to a disclosure from the security researchers who
worked with Dropbox (note: I work for Dropbox).

It is not generally the case that companies disclose quickly-patched
vulnerabilities that were reported by white-hat security researchers. Example
of a similar vulnerability with a similar response time by another company:
[https://blog.duosecurity.com/2013/02/bypassing-googles-
two-f...](https://blog.duosecurity.com/2013/02/bypassing-googles-two-factor-
authentication/)

Researchers disclose a while after the vulnerability is patched. This is
standard practice.

------
Aaronneyer
Cached(Formatting is a bit off):
[http://webcache.googleusercontent.com/search?q=cache:N0t0DFb...](http://webcache.googleusercontent.com/search?q=cache:N0t0DFbvQU0J:www.qcert.org/sites/default/files/public/bypassing_2_factor_authentication_on_dropbox.pdf+&cd=1&hl=en&ct=clnk&gl=us)

------
ZouheirAbdallah
Hey,

I am the researcher that disclosed this, and it was responsibly disclosed to
Dropbox and later to the general public once we got confirmation that the
vulnerability is patched.

you can email me at zouheir[dot]abdallah at gmail

------
mathrawka
Two-factor is getting to be a necessary feature for sites...

HOWEVER, there are always ways around two-factor auth. Some sites have some
special codes that you are advised to print and carry around with you. Some
sites let you verify your personal information to turn it off.

What it comes down to is how secure are:

\- the methods of disabling two-factor auth

\- the methods involved when you lose your two-factor auth token/device

And let's not forget:

\- the methods invovled when you forget your password

\- customer service intervention methods (i.e. social engineering)

Putting a "Look we support two-factor auth! We are super secure!" message out
there is always a red flag for me, as to how they have counter measures in
place for the above scenarios are very important... as that is what the evil
people will do.

~~~
rdl
I wish there were an "account recovery as a service" company to handle this
kind of thing, since everyone gets it wrong. Just a cheap outsourced
callcenter or web service for low end consumer services, all the way to an in-
person or onsite (notary or bank equivalent) for the really important things.

~~~
kumarski
I wish the same thing specifically for domain names and hosting.

