Dropbox says the issue is minor, but it was serious enough to be patched in four days Dropbox has released an update to their Android Core and Sync/Datastore SDKs, after researchers at IBM discovered a vulnerability that would enable an attacker to connect applications to a Dropbox account under their control.Dropbox claims the vulnerability is minor, but that didn’t stop them from patching the issue four days after being told.The company held off on public notification for additional 90-days in order to give developers time to update their applications. It isn’t clear if that was enough time in all cases, but at least one major developer addressed the issue – Microsoft.Microsoft and AgileBits (1Password) were just two of the more popular Android app developers vulnerable to the flaw, with a combined user base of more than 10 million people. In each case, users running the latest version of the respective software are protected. In order for users to be impacted by the flaw discovered by IBM, they first need to have an affected application installed on the device. During testing, IBM discovered 1.4 percent of the top 500 applications on Google Play used the broken Dropbox Android SDK, including 1Password and Microsoft Mobile Office.If an affected application is on the device, the second qualifier for an attack required that the user not have the Dropbox application installed. If those two conditions are met, then all an attacker needs to do direct the victim to a malicious website on the Android browser, or install a malicious application. If successful, the attacker could capture new data saved to Dropbox without the victim ever knowing.“Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit. This vulnerability couldn’t give attackers access to any existing files in a user’s account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data,” Dropbox said in a statement.The Dropbox SDK flaw impacts versions older than Core API Android SDK v1.6.3 and Sync/Datastore Android SDK v3.1.2. Developers are strongly encouraged to update their products in order to ensure the issue is fully resolved.IBM has a detailed write-up of their research on the company’s Security Intelligence Blog. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe