Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Dropbox Android SDK Flaw Exposes Mobile Users to Attack: IBM

IBM researchers discovered a flaw in Dropbox’s Android SDK which can leave mobile users vulnerable to attack.

IBM researchers discovered a flaw in Dropbox’s Android SDK which can leave mobile users vulnerable to attack.

The issue was not in the Dropbox service or the mobile app itself, but rather in the company’s SDK that third-party developers include to let users easily connect to their Dropbox files, Michael Montecillo, director of security intelligence at IBM Security, told SecurityWeek.

The vulnerability (CVE-2014-8889) was present in the SDK versions 1.5.4 through 1.5.1.

The vulnerability, dubbed DroppedIn by IBM researchers, would allow an attacker to connect mobile apps using the SDK to a Dropbox account under their control, IBM Security researcher Roee Hay wrote in an overview on the Security Intelligence blog. This way, attackers could easily transfer out the data harvested from the mobile device. “This may allow the attacker to steal sensitive information and inject malicious data into apps,” Hay said.

Dropbox updated its Android Core and Sync/Datastore SDKs four days after researchers reported the vulnerability. Even after the flaw was patched, IBM and Dropbox delayed publicizing the vulnerability in order to give other app developers time to update their apps.

IBM researchers discovered that 41 of the top 500 applications on Google Play had used the broken Dropbox Android SDK, including Microsoft Mobile Office, 1Password, and several productivity and photo editing/sharing tools, said Montecillo. Microsoft and AgileBits, the company behind 1Password, have already updated their apps to use the latest SDK, Hay said.

Dropbox claimed that despite the seriousness of the issue, the scope was very limited.

“There are no reports or evidence to indicate the vulnerability was ever used to access user data,” Dropbox’s Devdatta Akhawe wrote in a blog post. “Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit.”

Advertisement. Scroll to continue reading.

Just three-quarters of the apps using the broken SDK were actually vulnerable to DroppedIn. For the attack to actually work, the user has to have an affected app installed and not have the Dropbox app installed. The last bit is critical since the issue was in how the SDK used the OAuth protocol to link apps to user accounts.

The attacker can then trick the user into visiting a malicious website on the Android browser or to install a malicious application. If successful, then the attacker could save information collected from the app to a Dropbox account without the victim ever knowing.

This vulnerability couldn’t give attackers access to any existing files previously saved in a user’s account. As stated previously, users with the Dropbox app installed on their devices were never vulnerable. The vulnerability is not one where the attacker could download malware directly onto the device, Hay told SecurityWeek. “It’s very unlikely that it will just execute that data,” said Hay.

Most Android threats come from apps found on third-party app stores and not vetted by Google Play, but DroppedIn shows how even legitimate apps can be vulnerable if a component used by the developer has a flaw. Developers are strongly encouraged to update their apps in order to ensure the issue is fully resolved. Additionally, users should always ensure they are running updated versions of apps installed on their mobile devices.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.