IBM uncovers severe vulnerability in Dropbox SDK for Android

The vulnerability, now patched, had the potential to affect any app that uses the SDK, allowing a cyberattacker to steal potentially sensitive information and inject malicious data.


IBM's X-Force Application Security Reseach Team revealed the existence of a severe vulnerability in the Dropbox SDK for Android.

The now-patched vulnerability, dubbed DroppedIn by IBM's researchers, allowed an attacker to connect applications on a user's mobile device to a Dropbox account that they controlled.

Although Dropbox asserts no files were compromised before the patch, the vulnerability could have allowed a cyberattacker to steal potentially sensitive information and inject malicious data into third-party apps.

IBM says it first reported the vulnerability to Dropbox in December, and in a blog post, IBM researchers actually praise Dropbox for its minutes-long response time and the fact that it issued a patch within four days.

The handoff from IBM to Dropbox is notable given the Microsoft-Google flap over publicly disclosing vulnerabilities before they are fixed.

As for the vulnerability, it stems from the authorization mechanism used in the Dropbox SDK for Android, versions 1.5.4 and above, and had the potential to affect any app that uses the SDK.

The biggest user of the Dropbox SDK is the Microsoft Office Mobile app, which reportedly hosts more than 35 billion files on Dropbox for its users. Additional SDK users include password manager AgileBits 1Password, with an estimated 100,000 downloads, and several productivity and photo editing tools. Both were fixed by Microsoft and AgileBits after Dropbox notified them.

IBM explains that the vulnerability could have allowed an attacker to insert an arbitrary access token into the Dropbox SDK during the nonce verification stage, completely bypassing nonce protection. For background, a nonce is a long, random number typically used to prevent an attacker from injecting an access token pertaining to their own account, instead of the victim's.

While adding the nonce parameter should have mitigated the threat of a successful attack, the vulnerability left a crack in the SDK that could have allowed attackers to leak the nonce to their own server, making it useless.

IBM and Dropbox are urging developers to update their SDK to the latest patched version, v1.6.3 or Sync/Datastore Android SDK v3.1.2. But a simpler fix for end users is to install the actual Dropbox app, which makes exploitation of the vulnerability impossible.


Show Comments