Back in March 2010 we started an investigation into online file storage services and Dropbox in particular. Sebastian and Manuel started to disassemble the Dropbox binary and in essence created an alternative client by patching its crypto libraries. In the months that followed we found a number of security flaws with Dropbox. In November 2010 we informed Dropbox about the security holes we found: unauthorized file access as well as a potential misuse of Dropbox for an unlimited online slackspace. It took Dropbox until April 2011 to respond to our findings. In the meantime a number of independent researchers found some of the security shortcomings we described (e.g. Christopher Soghoian’s blog entry).
Thus, we are more than happy to finally present our research at this year’s USENIX Security conference in San Francisco.
In addition to our findings Dropbox had a security glitch this week, whereas authentication without providing a valid password was possible for around 4h. In summary: One should be very careful which information is stored on Dropbox and Dropbox has to overhaul their service’s security.