Two Factor Authentication is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also a unique code that only user can get via SMS or Call.
Zouheir Abdallah demonstrated, if an attacker already knows the username and password of the victim's Dropbox account, which is protected by two-factor authentication, it is still possible to hack that Dropbox account using following explained technique.
DropBox does not verify the authenticity of the email addresses used to Sign up a new account, so to exploit this flaw hacker just need to create a new fake account similar to the target’s account and append a dot (.) anywhere in the email address.
In Next step, enable 2-factor authentication for the fake account, and save the emergency code generated at the end of the process. This emergency code feature is provided, in case user lost his phone, then using this backup code user can disable two factor authentication from his account.
Next, logout from the the fake account created by attacker and login into the victim's account using the real credentials (attacker already have using any keylogger or phishing technique).
Because 2-Factor authentication was enabled for victim's account, so website will ask to enter the OTP code. Leave it, just choose “I Lost My Phone” from the same screen. You will be prompted to use the “Emergency Code”, that can disable the 2-Factor authentication.
That's it ! Use the emergency code generated from the fake account to disable 2-Factor authentication for the victim's account and enjoy full access.
Q-CERT worked with DrobBox security team to patch the issue.