13 March 2015
Android users have been urged to update any apps which might connect via SDK to Dropbox after researchers discovered a flaw which could allow attackers to steal sensitive corporate data.
The IBM X-Force Application Security Research Team claimed the flaw affects Dropbox SDK versions 1.5.4 to 1.6.1 and can be exploited locally using malware as well as remotely using drive-by techniques.
This effectively means a user would need to visit a specially crafted web page or have a malicious app downloaded on their phone.
The flaw allows an attacker to execute malware during a Dropbox log-in and obtain the “nonce” – a random number used to help authenticate the user.
The hacker can then download to their own Dropbox account sensitive files from any vulnerable apps linked via the SDK to Dropbox. There’s also the option of uploading files into the user’s compromised apps via Dropbox, IBM said.
The flaw is concerning because many mobile applications today use Dropbox to save and store sensitive personal or corporate information – often without giving users the choice of another cloud storage service.
Microsoft Office Mobile, Yahoo Mail and AgileBits 1Password are just a handful of the more popular ones. Microsoft Office Mobile alone has apparently been downloaded by over 10 million users.
“Businesses need to understand every possible place their data could be stored – especially in this case with the relationship between mobile and cloud,” warned IBM Security vice president, Caleb Brown.
“These files could be anything from a PowerPoint presentation to a VC firm asking for funding, documentation on a new drug going through FDA approval, or numbers on an impending IPO.”
IBM Security was at pains to point out that the flaw would not allow attackers to steal any documents saved pre-compromise to Microsoft Office or any other Dropbox-linked app. However, it would allow hackers to steal any files saved after an attack.
Dropbox was praised for patching the vulnerability just four days after being notified privately by IBM Security, and Microsoft and AgileBits have also updated to the latest SDK to protect users.
Brown therefore urged users to apply mobile app updates as soon as they are available and download the Dropbox app – which prevents this flaw from being exploited
“Application developers that use the Android Dropbox SDK need to upgrade their version to at least 1.6.2 or above ASAP which is where the patch for this vulnerability exists,” he added.
Dropbox, which has itself issued a blog post on the subject, played down the risk to users, claiming that the majority of developers have already updated their SDKs accordingly.
Source – http://www.infosecurity-magazine.com/news/dropbox-android-flaw-hackers-steal/