New Dropbox vulnerability puts Android users at risk

Update: Dropbox has issued a statement on the vulnerability. 

The company says that the vulnerability is in fact “minor” and that it “only impacts new files being saved into the users Dropbox via a vulnerable app that has not updated or been patched by the end user.”

Microsoft and Agilebits have also updated their apps in the Google Play store to the new SDK that Dropbox issued to address the vulnerability.  

Original article continues below.

 

A new vulnerability has been found in Dropbox‘ software development kit (SDK) and it allows an attacker to harvest data from Microsoft Office Mobile for Android users.

The vulnerability, discovered by IBM’s X-Force Application Security Research team, has been dubbed “DroppedIn” and allows an attacker to connect applications on a user’s mobile device to a Dropbox account controlled by the hacker, and to subsequently extract data.

According to an IBM statement, the impact of this vulnerability is “severe” as the biggest app that uses the SDK is Microsoft Office Mobile “which according to reports, hosts over 35 billion files on Dropbox for users.”

In a separate blog post, the IBM security team said that the vulnerability can be exploited either using “a malicious app installed on the user’s device or remotely using drive-by techniques,” although it cannot be exploited if “the Dropbox app is installed on the device.”

According to IBM, in total, the app has been downloaded more than 10 million times, while several other productivity apps including password manager AgileBits 1Password also use the SDK.

Dropbox has updated its Android SDK in response, and is urging app developers to update their software as well.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Dave Yin
Dave Yin
Digital Staff Writer at Computer Dealer News, covering Canada's IT channel.

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.