Hacking DropBox account, Vulnerability allows hacker to bypass Two-Factor Authentication

Q-CERT team found a critical vulnerability that can allow the attacker to by-pass the two-factor authentication in the popular file sharing service ‘DropBox‘.

Two Factor Authentication is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also a unique code that only user can get via SMS or Call.
Zouheir Abdallah demonstrated that, if an attacker already knows the username and password of the victim’s Dropbox account, which is protected by two-factor authentication, it is still possible to hack that Dropbox account.

Because DropBox does not verify the authenticity of the email addresses used to Sign up a new account, so to exploit this flaw hacker just need to create a new fake account similar to the target’s account and append a dot (.) anywhere in the email address.
In Next step, enable 2-factor authentication for the fake account, and save the emergency code generated at the end of the process. This emergency code feature is provided, in case user lost his phone, then using this backup code user can disable two factor authentication from his account.

Next, logout from the the fake account created by attacker and login into the victim’s account using the real credentials (attacker already have using any keylogger or phishing technique).

Because 2-Factor authentication was enabled for victim’s account, so website will ask to enter the OTP code. Leave it, just choose “I Lost My Phone” from the same screen. You will be prompted to use the “Emergency Code”.

That’s it ! Use the emergency code generated for the fake account to disable 2-Factor authentication from the victim’s account and attacker will gain full access.

Q-CERT worked with DrobBox security team to patch the issue.