Looking inside the (Drop) box: researchers reverse-engineer the client and bypass 2FA
August 2013
At USENIX WOOT 2013, Dhiru Kholia and Przemyslaw Wegrzyn unpacked and decompiled Dropbox's obfuscated-Python desktop client, demonstrated SSL interception via code injection, and described a way to hijack accounts and bypass two-factor authentication.
What happened
Dhiru Kholia (Openwall) and Przemyslaw Wegrzyn (CodePainters) presented 'Looking inside the (Drop) box' at the USENIX Workshop on Offensive Technologies (WOOT) in August 2013. They detailed generic techniques to unpack, decrypt and decompile 'frozen' Python applications — using Dropbox's heavily obfuscated client as the case study — effectively opening the client to outside scrutiny for the first time.
Beyond the reverse-engineering methods, the paper showed how code-injection could be used to intercept Dropbox's SSL traffic and described a technique to hijack a Dropbox account and bypass its two-factor authentication. The authors framed their goal as research transparency: 'We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will/should no longer be a black box.'
Impact
The work demonstrated that obfuscation is not security and that a client built on interpreted, packed Python could be fully recovered by determined researchers — exposing how the desktop application authenticated and handled tokens. It enabled independent auditing of Dropbox's client and stands as an early academic data point in arguments that Dropbox's protections could be peeled back rather than trusted as opaque.