Dropbox has released an update to their Android Core and Sync/Datastore SDKs, after researchers at IBM discovered a vulnerability that would enable an attacker to connect applications to a Dropbox account under their control.
Dropbox claims the vulnerability is minor, but that didn't stop them from patching the issue four days after being told.
The company held off on public notification for additional 90-days in order to give developers time to update their applications. It isn't clear if that was enough time in all cases, but at least one major developer addressed the issue – Microsoft.
Microsoft and AgileBits (1Password) were just two of the more popular Android app developers vulnerable to the flaw, with a combined user base of more than 10 million people. In each case, users running the latest version of the respective software are protected.
In order for users to be impacted by the flaw discovered by IBM, they first need to have an affected application installed on the device. During testing, IBM discovered 1.4 percent of the top 500 applications on Google Play used the broken Dropbox Android SDK, including 1Password and Microsoft Mobile Office.
If an affected application is on the device, the second qualifier for an attack required that the user not have the Dropbox application installed. If those two conditions are met, then all an attacker needs to do direct the victim to a malicious website on the Android browser, or install a malicious application.
If successful, the attacker could capture new data saved to Dropbox without the victim ever knowing.
"Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit. This vulnerability couldn’t give attackers access to any existing files in a user’s account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data," Dropbox said in a statement.
The Dropbox SDK flaw impacts versions older than Core API Android SDK v1.6.3 and Sync/Datastore Android SDK v3.1.2. Developers are strongly encouraged to update their products in order to ensure the issue is fully resolved.
IBM has a detailed write-up of their research on the company's Security Intelligence Blog.