Bypassing two factor authentication on Dropbox

Posted: July 6, 2013 in Analysis, Vulnerabilities

Q-CERT team found a critical vulnerability that allows the attacker to bypass the two-factor authentication in the most popular file sharing service ‘DropBox’.

Two Factor Authentication is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also a unique code that only user can get via SMS or Call.If an attacker already knows the username and password of the victim’s Dropbox account, which is protected by two-factor authentication, it is still possible to hack that Dropbox account using following explained technique.

DropBox does not verify the authenticity of the email addresses used to Sign up a new account, so to exploit this flaw hacker just need to create a new fake account similar to the target’s account and append a dot (.) anywhere in the email address.

In Next step, enable 2-factor authentication for the fake account, and save the emergency code generated at the end of the process. This emergency code feature is provided, in case user lost his phone, then using this backup code user can disable two factor authentication from his account.

Next, logout from the the fake account created by attacker and login into the victim’s account using the real credentials (attacker already have using any keylogger or phishing technique).Because 2-Factor authentication was enabled for victim’s account, so website will ask to enter the OTP code. Leave it, just choose “I Lost My Phone” from the same screen. You will be prompted to use the “Emergency Code”, that can disable the 2-Factor authentication.

That’s it ! Use the emergency code generated from the fake account to disable 2-Factor authentication for the victim’s account and enjoy full access.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s