PolySec Lab

Implementation Vulnerability Associated with OAuth 2.0:. A Case Study on Dropbox

About

Drop box is a cloud based file storage service used by more than 200 million users. Its ability to seamlessly provide cloud storage with minimal user complexity is the key for its wide spread popularity. Despite of its high usability, Drop box has been recently criticized for loose ends in security.

Security and usability is not always mutually exclusive, and we believe there is still a lot of room to improve Drop box's security without affecting the unique user experience. In this project, we present a RAM analysis based method to extract the key security token for account access. In addition, we describe a new technique to bypass authentication and gain unauthorized access to Drop box accounts by using the new tray login feature on the most current Drop box client (v2.4.x).

Through these exploits, we demonstrate that most of these security issues are at the level of implementation, rather than design. Finally, we describe potential resolutions that can improve Drop box's security without affecting its high usability.

Dr. Mohammad Husain

Project Director
Professor at Cal Poly Pomona

Bruce Wu

Project Lead
Student at Cal Poly Pomona

Tung Nguyen

Developer
Student at Cal Poly Pomona

Project Details

Video

Audio/Visual Explanation

Video coming soon.

Publications/Media

Research Papers & Features