So Dropbox Can Be Hacked—What Else Is New? We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented.
In other words, they were able to make modifications without altering Dropbox’s original source code. They also exploited the “Launch Dropbox Website” feature, an item located in the Windows system tray that lets users auto-login to the website. The handling of that in the current version of Dropbox is more secure than in the previous ones, but legacy users could still be at risk of having their accounts breached.
This is an impressive feat, even if it is fraught with some scary potential. The team showed that it’s possible to blast through Drobox’s two-step login security, hijack accounts and expose code that could allow crafty hackers to devise some ingenious (or malicious) programs.
Fortunately, the researchers have no mischief in mind. They only wanted to prove a point: Blocking access to underlying code doesn’t necessarily stop hacks. All it does is impede well-meaning developers from vetting it properly.