The developers at Dropbox have recently patched a vulnerability in the Android SDK version of the Dropbox app. The remotely exploitable vulnerability could have enabled an attacker, under specific circumstances, to potentially save files to their Dropbox account, via compromised third party apps.*
Researchers at IBM, who found the vulnerability, called it a “serious flaw” in the SDK’s authentication mechanism. This is where an attacker may have dropped a random access token into the SDK’s code, which would have bypassed the protection.
Roee Hay, a team leader for IBM’s X-Force Application Security Research team, dug deeper into the flaw. He wrote in a blog entry concerning the flaw being an “implementation-specific vulnerability” (CVE-2014-8889) that granted attackers the ability to force the SDK to leak the nonce to the attacker’s server, thus “rendering the secrecy of the nonce useless.”
By manipulating the nonce the attacker could link the app to their own account, instead of the victim’s and then trick them into downloading malicious data or uploading sensitive information.
Dropbox authenticates applications via OAuth calls, in response the SDK churns out a lengthy and complex cryptographic number (nonce), assuming the nonce, which the SDK generated, matches the nonce returned via API from the app, both application can access each other.
IBM has coined the name of the vulnerability the ‘DroppedIn’ vulnerability. In a video that was posted alongside the research, Hay and another IBM security researcher, Or Pele, describe how they were able to use the vulnerability as a vector to attack one of the apps, which connected to the Dropbox SDK, an older version of 1Password. Unfortunately, an attacker may have the potential to gain access to newly saved files, which would have already been saved via one of these compromised third party apps.*
Numerous 1Password users share log-ins across lots of platforms, via vaults that are normally synced via a cloud service such as Dropbox. It appears as though since the vulnerability was already present in the app’s SDK library, lots of apps that use it, such as 1Password and Microsoft Office Mobile, were actually using a vulnerable version of the app.
Since IBM reported the vulnerability, both 1Password and Microsoft have updated their apps in Google Play. Even though these fixes have been put into place, users are still encouraged to ensure they are running the latest version, which includes the fixed version of Dropbox’s SDK.
As this was an SDK-only issue, any users who run the standalone Android version of the Dropbox app were never affected by it.
[Image via securityintelligence *edited for inaccuracies]
SOURCE: Threat Post