The flaw could ultimately expose user data, saved to Dropbox through vulnerable third-party apps, to attackers.
The flaw could ultimately expose user data, saved to Dropbox through vulnerable third-party apps, to attackers.

A serious vulnerability in the Dropbox software development kit (SDK) for Android should be patched immediately, as it can allow an attacker to connect a vulnerable app on a victim's device to their own Dropbox account for data exfiltration.

IBM's X-Force Application Security Research Team discovered the vulnerability (CVE-2014-8889), and also developed a working proof-of-concept exploit [video], dubbed DroppedIn, which allows for a targeted app to be linked with an attacker-managed Dropbox account.

Offering two attack scenarios, a local and remote (drive-by) attack, IBM noted that both would fail if the Dropbox app is installed on the targeted device, a Wednesday blog post detailing the vulnerability said.

The author of the post, Roee Hay, X-Force Application Security Research Team leader, explained that the vulnerability “lets adversaries insert an arbitrary access token into the Dropbox SDK, completely bypassing the nonce protection.”

In the remote attack, IBM demonstrated how a saboteur could cause the Dropbox SDK within a targeted app to leak the nonce (arbitrary number used in an authentication protocol) to an attacker-operated server, using an HTTP redirect, Hay wrote.

IBM disclosed the vulnerability months ago to Dropbox, which immediately set out to rectify the issue. In a Tuesday interview with SCMagazine.com, Caleb Barlow, vice president of IBM Security, said that Dropbox patched the bug in record time – four days to be exact – and worked with app developers using the SDK to make sure they were secured against the threat.

“During the handshake between the third-party application and Dropbox, what was missing was a set of parameters that ensures that the [data] could not be captured and pointed at the attacker's Dropbox account," Barlow said of the vulnerability. "Effectively, what we are doing [in the POC] is swapping the token that links the app to your Dropbox account, with the attacker's Dropbox account."

In his blog post, IBM's Hay said that Dropbox SDK for Android Version 1.6.2 and later addresses the vulnerability.

“Developers are strongly encouraged to update their SDK to the latest version. In order to avoid exploitation of slowly updating apps, end users should update their apps to the latest versions and install the Dropbox app, which makes exploitation impossible,” Hay wrote.

On Wednesday, Dropbox published a post on its developer blog about the bug, describing it as a “minor security vulnerability” that had long been patched.

The company reiterated that, in order to be vulnerable to attack, an user would have to use an affected (vulnerable) app on their Android device, not have the Dropbox for Android app installed, and “visit a malicious page with their Android web browser targeting that app, or have a malicious app installed on their phone,” Dropbox continued. “An attacker could then link their Dropbox account to a vulnerable third-party app on the victim's device. This would then allow the attacker to capture new data a user saved to Dropbox via the vulnerable app."

The company added later, that the bug can't give attackers access to any existing files in a user's account, and that "users with the Dropbox app installed on their devices were never vulnerable."

There are no reports or evidence to indicate the vulnerability was ever used to access user data," Dropbox said.

IBM published a white paper that provides more details on the vulnerability and the DroppedIn exploit.