Researchers have disclosed a critical authentication vulnerability (CVE-2014-8889) in Dropbox SDK for Android which could allow an attacker to connect applications on targeted mobile devices to a Dropbox account they control.
Dropbox SDK for Android is a framework which provides Android application developers with the mechanism for their apps to interface with Dropbox.
Impacted versions include Dropbox SDK 1.5.4 through 1.6.1, but the vulnerability was patched in version 1.6.2, and it can not be exploited if the main Dropbox application is already installed on the targeted device. “Out of the 41 apps we examined as part of our initial research that use the Dropbox SDK for Android, 31 apps (76 percent) used a vulnerable version of the SDK,” the researchers said.
“It is worth noting that the rest of the apps were vulnerable to a much simpler attack that has the same consequences but had been fixed by Dropbox in the SDK version 1.5.4, this older attack vector was notable in that it could not be prevented by installing the Dropbox app.”
The vulnerability can be exploited by attackers using a malicious application installed on the targeted device, or remotely through drive-by attacks techniques on malicious websites.
The researchers commended Dropbox for their swift remediation following their private disclosure of the vulnerability, saying “the response from Dropbox to this security threat was particularly noteworthy as they acknowledged receipt of the disclosure within a mere six minutes, confirmed the vulnerability within 24 hours, and released a patch within just four days. This undoubtedly shows the company’s commitment to security.”
Developers are advised to update their Dropbox SDK library, and users should update any applications that rely on the SDK as well as installing the main Dropbox application to prevent exploitation of the flaw.