IBM today is publicly disclosing a flaw that it found and reported to Dropbox, impacting the security of the popular file sharing and sync service. Since Dropbox functionality is embedded in multiple applications, the risk and potential impact is larger than just the Dropbox app itself.
The flaw, now identified as CVE-2014-8889, was found inside the Dropbox SDK (software development kit) for Android and could have potentially enabled an attacker to insert an arbitrary access token, to give the attacker access to user information.
IBM built a proof-of-concept exploit that it calls “DroppedIn” to test the impact of the vulnerability. Using the exploit, IBM found that 76 percent of the apps that it analyzed that leverage the Dropbox SDK were at risk from the flaw.
“IBM Security responsibly disclosed this vulnerability to Dropbox in December of 2014,” Roee Hay, lead researcher, IBM X-Force Application Security Research, told eSecurity Planet. “We worked with Dropbox to provide 90 days, to allow the ecosystem enough time to update apps relying on the SDK to the newer API.”
Hay noted that the vulnerability was just for the Dropbox SDK being used within Android apps; there is no indication that users of iOS or other operating systems would be affected. To be clear, it’s not Dropbox for Android itself that’s the big risk, but all of the apps on Android that leverage the Dropbox for Android SDK.
“Dropbox has already fixed this vulnerability on their end, as have several app vendors relying on the SDK,” Hay explained. “Since these apps are out of Dropbox’s control, the vendors need to make sure they’re using version 1.6.2 of the Dropbox SDK for Android, or higher, to address this vulnerability.”
Hay advised end users to apply patches for the apps on their devices. If they’re worried that their apps have not been updated, they can download the Dropbox app on their device to ensure they’re secure.
How the Dropbox Exploit Works
In terms of the actual exploit itself, there are a number of things that have to happen in order for IBM’s proof-of-concept DroppedIn exploit to work.
“The exploit would work against a user after they installed a vulnerable app and visited a malicious Web page on a mobile browser or they installed a malicious Android app designed to exploit the vulnerable app,” Hay said.
The exploit itself abuses functionality in the Oauth protocol that is used by the Dropbox SDK. However, Hay emphasized there’s nothing wrong with the protocol, and the Dropbox flaw is an implementation issue.
“This vulnerability was a result of a logic error in the Dropbox SDK for Android,” Hay said.
Hay added that IBM’s Application Security Research team found this vulnerability as part of its ongoing security research on Android application security.
“The team is constantly on the lookout for vulnerabilities that will impact our enterprise customers so we can find them before the attackers do,” Hay said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.