Security specialists Florian Ledoux and Nicolas Ruff from the IT department at EADS cast a critical eye on the Dropbox cloud storage service and recently presented their findings at the Hack.LU security conference. They explained the trickery used by the service's developers to encrypt the Python-based desktop client, showed how the client protects its configuration and, of course, demonstrated how data is exchanged.

The researchers say that they found no major vulnerabilities. "Dropbox is now quite secure," Nicolas Ruff told The H's associates at heise Security. Of course, this was not always the case. The researchers did, however, uncover one minor security problem: the client doesn't check one particular certificate when talking to other Dropbox clients on a local network. This potentially enables attackers to block the client of other network users, for example.

According to the researchers, the vulnerability can also be exploited for surveillance purposes: companies could, for instance, monitor whether confidential company documents leave the building over Dropbox (data leakage prevention). The security experts informed Dropbox of their discovery before giving the presentation – the hole could, therefore, already have been closed in the current version of the client.


A critical Analysis of Dropbox Software SecurityPDF