IBM Discloses Discovery of Dropbox SDK Vulnerability

The never-ending cycle of vulnerability discovery and remediation continues this week with an announcement from IBM concerning a “Droppedin” flaw in an SDK from Dropbox that affects applications running on Android devices.

Michael Montecillo, director of security intelligence for IBM, says that the IBM X-Force Application Security Research team has already informed Dropbox of the issue. For its part, Dropbox reports that a few months ago it patched what it calls a minor security vulnerability in the Android Core and Sync/Datastore SDKs. While most popular apps have already updated their Android SDKs, Dropbox says it now wants to make sure all of its Android developers update their apps to use Core API Android SDK v1.6.3 or Sync/Datastore API Android SDK v3.1.2.

At the same time, Dropbox notes that in order to exploit this vulnerability, someone would first have to use an affected application on an Android device, not actually have the Dropbox for Android application installed, and then visit a specially crafted malicious page with the Android Web browser targeting that app, or the user would need to have a malicious app installed on the phone.

An attacker could then link the Dropbox account to a vulnerable third-party application on the victim's device. This would allow the attacker to capture new data a user saved to Dropbox via the vulnerable application.

Dropbox also noted that many applications using the affected SDKs weren't vulnerable at all or required additional factors to exploit. This vulnerability couldn't give attackers access to any existing files in a user's account, and users with the Dropbox application installed on their devices were never vulnerable.

Finally, Dropbox notes that there are no reports or evidence to indicate the vulnerability was ever used to access user data and that it has alerted every developer that uses its SDK to update their applications.

But IBM says the DroppedIn flaw is significant because the biggest app that uses the Dropbox SDK is Microsoft Office Mobile, which hosts more than 35 billion files. Additionally, IBM says password manager AgileBits 1Password and several productivity and photo editing/sharing tools use the SDK.

In general, IT security companies have taken to engaging in hunts for vulnerabilities to display their IT security prowess. The degree to which these vulnerabilities are being exploited is often debatable. Not as clear cut is whether these disclosures actually wind up reminding developers of the need to write more secure code, or if in all the noise about application security they get lost in sea of alerts to the point that developers can no longer distinguish between a theoretical vulnerability and one that is actively being exploited.

Michael Vizard

Comments