![Filehippo - Software that matters](https://news.filehippo.com/wp-content/uploads/2020/03/header-strapline.png")
The developers at Dropbox have recently patched a vulnerability in the Android SDK version of the Dropbox app. The remotely exploitable vulnerability could have enabled an attacker, under specific circumstances, to potentially save files to their Dropbox account, via compromised third party apps.*
Researchers at IBM, who found the vulnerability, called it a âserious flawâ in the SDKâs authentication mechanism. This is where an attacker may have dropped a random access token into the SDKâs code, which would have bypassed the protection.
Roee Hay, a team leader for IBMâs X-Force Application Security Research team, dug deeper into the flaw. He wrote in a blog entry concerning the flaw being an âimplementation-specific vulnerabilityâ (CVE-2014-8889) that granted attackers the ability to force the SDK to leak the nonce to the attackerâs server, thus ârendering the secrecy of the nonce useless.â
By manipulating the nonce the attacker could link the app to their own account, instead of the victimâs and then trick them into downloading malicious data or uploading sensitive information.
Dropbox authenticates applications via OAuth calls, in response the SDK churns out a lengthy and complex cryptographic number (nonce), assuming the nonce, which the SDK generated, matches the nonce returned via API from the app, both application can access each other.
IBM has coined the name of the vulnerability the âDroppedInâ vulnerability. In a video that was posted alongside the research, Hay and another IBM security researcher, Or Pele, describe how they were able to use the vulnerability as a vector to attack one of the apps, which connected to the Dropbox SDK, an older version of 1Password. Unfortunately, an attacker may have the potential to gain access to newly saved files, which would have already been saved via one of these compromised third party apps.*
https://www.youtube.com/watch?v=v3T_giEpF44
Numerous 1Password users share log-ins across lots of platforms, via vaults that are normally synced via a cloud service such as Dropbox. It appears as though since the vulnerability was already present in the appâs SDK library, lots of apps that use it, such as 1Password and Microsoft Office Mobile, were actually using a vulnerable version of the app.
Since IBM reported the vulnerability, both 1Password and Microsoft have updated their apps in Google Play. Even though these fixes have been put into place, users are still encouraged to ensure they are running the latest version, which includes the fixed version of Dropboxâs SDK.
As this was an SDK-only issue, any users who run the standalone Android version of the Dropbox app were never affected by it.
[Image via securityintelligence *edited for inaccuracies]
SOURCE: Threat Post