Dropbox SDK bug leaves Android users open to attack

Security researchers at IBM have uncovered a bug in cloud storage service provider Dropbox’s software development kit (SDK) that potentially leaves millions of Android users open to attack.

Researchers at IBM’s X-Force Application Security Research warned that the ‘DroppedIn’ flaw affects many applications using the Dropbox SDK.

«It allows attackers to connect applications on mobile devices to a Dropbox account they control,» explained vice president of IBM Security Caleb Barlow.

«This vulnerability may affect any Android app that uses the Dropbox SDK versions 1.5.4 to 1.6.1, and can be exploited locally using malware and remotely using drive-by techniques.»

Dropbox spokesperson told V3 the firm issued an update fixing the flaw in December 2014 and added it could only be exploited in «very specific circumstances» on devices where the main Dropbox Android app was not installed.

Barlow said despite the assurances hackers could still steal data from vulnerable systems without the patch.

«The vulnerability allows attackers to execute malicious code during the log-in process that allows them to access the random number, called a ‘nonce’, that Dropbox uses as part of the authentication process,» he said.

«Once the attacker has the nonce, they can enter an access token that is also used to identify a user and then upload or download files into/from the victim’s vulnerable app to the attacker’s Dropbox account.»

He added to fully fix the problem application developers will have to install the SDK patch.

«There are many apps that rely on the Dropbox SDK, including Yahoo Mail, Microsoft Office Mobile, AgileBits 1Password, and several productivity, photo editing/sharing tools,» he said.

«Application developers that use the Android Dropbox SDK need to upgrade their version to at least 1.6.2 or above ASAP which is where the patch for this vulnerability exists.»

The Dropbox spokesperson moved to allay these concerns telling V3 «most Android app developers using our SDK have updated their apps so users don’t need to do anything.»

The news follows reports that application developers are failing to install critical security updates.

Researchers at McAfee reported in February that a number of «popular» applications still do not include critical patches for the high-profile BERserk and Heartbleed Secure Sockets Layer flaws.

Fuente: www.v3.co.uk