Researchers from IBM’s security team have discovered an authentication flaw in the Dropbox Software Development Kit (SDK) for Android that can be exploited to capture new data a user saves to his Dropbox account.
The flaw has been extensively documented by the researchers in a blog post, but the things you initially need to know are these: the vulnerability can be exploited if you use an app that uses a Dropbox SDK Version 1.5.4 through 1.6.1 (the latest one is v1.6.3), or if you visit a specially-crafted malicious page with your Android web browser targeting that app, and that’s only if you don’t have the Dropbox for Android app installed. Also, an attacker can’t access the data you have previously stored in your Dropbox account.
The researchers have provided a demonstration of the attack:
“Out of the 41 apps we examined as part of our initial research that use the Dropbox SDK for Android, 31 apps (76 percent) used a vulnerable version of the SDK. It is worth noting that the rest of the apps were vulnerable to a much simpler attack that has the same consequences but had been fixed by Dropbox in the SDK version 1.5.4, this older attack vector was notable in that it could not be prevented by installing the Dropbox app,” the researchers shared.
They discovered the vulnerability a few months ago, and disclosed it to the Dropbox team, which reacted fast and patched the flaw in less than five days.
“With a patch solution available, it is highly recommended that developers update their Dropbox SDK library. Additionally, end users (device owners) must update their apps that rely on the SDK and are also encouraged to install the Dropbox app, which makes it impossible to exploit the vulnerability; this is because the vulnerable SDK code is not invoked when the local Dropbox app is installed,” IBM researchers noted.
“Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit,” Dropbox security engineer Devdatta Akhawe pointed out, adding that “there are no reports or evidence to indicate the vulnerability was ever used to access user data.”