Many online services are implementing two-factor authentication to bulk up security and prevent unauthorized access to sensitive information. Dropbox is just one of those online services that offers the feature, but it’s been recently discovered that the company’s two-factor authentication method is still vulnerable to breaching.
It turns out that as long as someone has the username and password of your Dropbox account, they can bypass the two-factor authentication and log right into your account with a couple of clever tricks. Since Dropbox doesn’t verify email addresses when users sign up for a new account, a hacker can use a new email address that’s similar to an existing one by placing a period in somewhere, similar to how Gmail addresses work.
For this fake account, two-factor authentication is enabled and an emergency code is generated in case users ever lose their phone. The hacker will then login to the victim’s account, but will be prompted to enter the code for that account. However, the hacker will simply select that the victim lost their phone and they’ll be promoted for that emergency code.
Since the email address that the hacker signed up with is similar to the victim’s email address. the emergency code will work on the victim’s account. From there, the hacker can disable two-factor authentication and gain access into the victim’s Dropbox account. This is because that “email@example.com” is registered as being the same “firstname.lastname@example.org,” just like how Gmail handles email addresses.
Of course, you have to know the user’s password before you can do this, but once you get a hold of it, it seems relatively easy to bypass Dropbox’s two-factor authentication. However, the security team that found the vulnerability is already said to be working with Dropbox to fix the bug.
VIA: The Hacker News