Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App

Posted by Soulskill on from the turns-out-it's-just-23,000-nested-if-statements dept.

rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."

7 of 242 comments (clear)

  1. Well, there goes Eve Online by Anonymous Coward · · Score: 3, Interesting

    Good thing I stopped playing the game.
    It's hosed now.

  2. Re:Doesn't the Dropbox EULA... by epyT-R · · Score: 5, Interesting

    Why? If you're looking for the selfish angle, maybe he/they just wanted the notoriety. However, he/they might've just wanted to do a public service. Most people trust dropbox to be secure. Of course, slashdot users should all know better than to trust the 'cloud' for anything sensitive, but a way to get this info to people who would not otherwise know this is to make a splash about a successful pen-test.

    Lots of guys see it as a challenge; the digital equivalent of saying 'you can't have this.' Well, challenge accepted.

  3. Re:Waste of resources by cerberusss · · Score: 4, Interesting

    Using utilities like IonCube to 'protect' PHP-code will never stop the dedicated people from reverse engineering the application or re-engineering it.

    No, but it will stop support calls from clients that are the result of messing with the code.

    --
    8 of 13 people found this answer helpful. Did you?
  4. Re:Obfuscated python code? by six025 · · Score: 4, Interesting

    Sounds remarkably like security through obscurity to me. With the predictable outcome.

    You have no right to feel secure if you only think you're secure assuming noone else examines your source code.

    To what level do you take the paranoia, though?

    As early as 1984 (hah!) it has been known that a compiler could be developed in such a way as to produce binaries containing a back door:

    http://c2.com/cgi/wiki?TheKenThompsonHack

    The next level is CPU microcode. Where does it end? One day we can fab our own CPUs from Open Source designs ... but will that be enough?

    Peace,
    Andy.

  5. Re:Insecure by design by Inda · · Score: 1, Interesting

    "others are now relying on fast exchange of nonces"

    Is that a typo or a new word in programming?

    1. nonce. (UK) Slang for paedophile or sex offender

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  6. Re:Waste of resources by Errol+backfiring · · Score: 3, Interesting

    Why do you paint bricks and fake keyholes on your door when you leave the house?

    There, fixed that for you. Obfuscation is more like dazzle painting. It works somewhat, but don't expect it to work well.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  7. Re:Python? Really? by StripedCow · · Score: 1, Interesting

    Python and javascript are syntactically much more difficult to master than assembly language.
    Plus, there are way more privitives to learn...

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.