A major vulnerability in the Dropbox SDK for Android has been revealed by IBM Security, whereby attackers can connect applications on mobile devices to a Dropbox account controlled by the attacker.
The vuln has since been fixed, with IBM praising Dropbox for its response to the issue; the company acknowledged receipt of the disclosure within six minutes, confirmed the vulnerability within the day, and issued a patch within four days.
It’s slightly better than the flaw in Moonpig’s API, which was not looked at for 17 months before security researcher Paul Price, exasperated, went public, and was one of the quickest response times IBM Security had ever seen, which “undoubtedly shows the company’s commitment to security,” according to an IBM post.
The context here is not just with Dropbox customers, but in terms of other apps. According to AppBrain, 0.31% of all applications use the Dropbox SDK, with the number rising to 1.4% of the top 500 apps. Microsoft Office Mobile, for example, utilises the Dropbox SDK, and with over 10 million downloads, it potentially puts a lot of people at risk.
Out of the 41 apps examined which used the Dropbox SDK as part of IBM’s initial research, 76% were vulnerable to the attack. Dropbox leverages the OAuth protocol, which doesn’t disclose user credentials, and its SDK generates a cryptographic nonce which is saved locally, and can’t be guessed by attackers. However, the CVE-2014-8889 vulnerability lets attackers insert an arbitrary access token into the Dropbox SDK, bypassing the nonce protection altogether.
The vulnerability has since been fixed in the Dropbox SDK for Android v1.62. IBM warns developers who use the Android Dropbox SDK to upgrade their version, as well as advising users to ‘remain diligent’ and apply mobile app updates to patch any vulnerabilities.
You can find out more in a blog post here.