Saturday, July 6, 2013

Two-factor authentication bypass in Dropbox, POSSIBLE!!

Researcher Zouheir Abdallah revealed that an attacker already knows the victim's credentials (username and password obtained with a Key-logger, cross-site shared password, due the adoption of a easy to guess password etc..), for Dropbox account that has two-factor authentication enabled, is able to hack that account through a procedure. Q-CERT team found a critical vulnerability in DropBox that allows a hacker to bypass the two-factor authentication implemented by the popular file sharing service. The flaw is related to the lack of verification of authenticity of the email addresses used to sign up a new DropBox account, a hacker could conduct the attack creating a new fake account similar to the target one and append a dot (.) anywhere in the email address. <more>

No comments: