Implementation Vulnerability Associated with OAuth 2.0 -- A Case Study on Dropbox

摘要

Drop box is a cloud based file storage service used by more than 200 million users. Its ability to seamlessly provide cloud storage with minimal user complexity is the key for its wide spread popularity. Despite of its high usability, Drop box has been recently criticized for loose ends in security. Security and usability is not always mutually exclusive, and we believe there is still a lot of room to improve Drop box's security without affecting the unique user experience. In this paper, we present a RAM analysis based method to extract the key security token for account access. In addition, we describe a new technique to bypass authentication and gain unauthorized access to Drop box accounts by using the new tray login feature on the most current Drop box client (v2.4.x). Through these exploits, we demonstrate that most of these security issues are at the level of implementation, rather than design. Finally, we describe potential resolutions that can improve Drop box's security without affecting its high usability.