Android app developers are being urged to update their Dropbox SDK to the latest version after IBM's team of application security researchers found a severe vulnerability that has the potential to affect billions of files.
The IBM X-Force Application Security Research Team discovered the vulnerability in Dropbox SDK for Android versions 1.5.4 and above, and it meant an attacker could connect applications on any Android device to a Dropbox account they controlled.
Dropbox was quick to act and, according to IBM, issued a patch within four days of being told of the problem by IBM's team of researchers.
The vulnerability was born out of the authorization mechanism used in the Dropbox SDK for Android and had the potential to scupper any app using it. That includes Microsoft Office Mobile, which reportedly hosts some 35 billion files on Dropbox for its Android users, and AgileBits 1Password.
How to protect yourself
Attackers were able to insert an arbitrary access token into the Dropbox SDK in the nonce verification stage thus bypassing that particular protection. This left a gap in the SDK's armor that was able to be exploited to give attackers access to the nonce on their own servers.
Both companies are imploring developers to update to the latest patched version of the SDK immediately (v1.6.3 or Sync/Datastore Android ADK v3.1.2) and for end users installing the Dropbox for Android app will make the vulnerability impossible to exploit.
0 comments:
Post a Comment