Dropbox SDK vulnerability puts billions of Office files at risk
A flaw in the Dropbox SDK for Android could potentially put large numbers of MS Office files stored in the cloud at risk.
IBM's X-Force Application Security Research team has discovered a severe vulnerability in Dropbox's software development kit (SDK) used by Android app developers to connect to Dropbox so users can tap into their files via an app.
The biggest app that uses the Dropbox SDK is Microsoft Office Mobile, which is reckoned to host over 35 billion files on Dropbox for users. Microsoft Office Mobile which likely holds sensitive information has been downloaded more than 10 million times. Additionally, password manager AgileBits 1Password (100,000 downloads) plus several productivity and photo editing and sharing tools use the same SDK.
The vulnerability may affect any Android app that uses the Dropbox SDK Version 1.5.4 and above. It can be exploited both locally by using malware and remotely by using drive-by techniques to install a compromised app allowing the hacker access to Dropbox files. It cannot, however, be exploited if the Dropbox app is installed on the device.
There's praise from Roee Hay, Security Researcher, X-Force Application Security Research Team at IBM Security for Dropbox's speedy response to the disclosure. "We reported the issue to Dropbox, which acknowledged receipt after a mere six minutes. Less than 24 hours after the disclosure, Dropbox responded with a confirmation of the vulnerability, and a patch was issued only four days after the private disclosure. We would like to thank the Dropbox team for issuing one of the quickest patches we have ever witnessed. This undoubtedly shows the company's commitment to the security of its end users".
In order to ensure their apps aren't vulnerable, developers are encouraged to update their Dropbox SDK library as soon as possible. End users can avoid being caught by the exploitation of apps that are slow to update by installing the Dropbox app on their device, which makes it impossible to exploit the vulnerability.
You can read more about the vulnerability and download a white paper with full details on IBM's Security Intelligence blog.
Image Credit: alexmillos / Shutterstock