Update: Dropbox has issued a statement on the vulnerability.
The company says that the vulnerability is in fact “minor” and that it “only impacts new files being saved into the users Dropbox via a vulnerable app that has not updated or been patched by the end user.”
Microsoft and Agilebits have also updated their apps in the Google Play store to the new SDK that Dropbox issued to address the vulnerability.
Original article continues below.
A new vulnerability has been found in Dropbox‘ software development kit (SDK) and it allows an attacker to harvest data from Microsoft Office Mobile for Android users.
The vulnerability, discovered by IBM’s X-Force Application Security Research team, has been dubbed “DroppedIn” and allows an attacker to connect applications on a user’s mobile device to a Dropbox account controlled by the hacker, and to subsequently extract data.
According to an IBM statement, the impact of this vulnerability is “severe” as the biggest app that uses the SDK is Microsoft Office Mobile “which according to reports, hosts over 35 billion files on Dropbox for users.”
In a separate blog post, the IBM security team said that the vulnerability can be exploited either using “a malicious app installed on the user’s device or remotely using drive-by techniques,” although it cannot be exploited if “the Dropbox app is installed on the device.”
According to IBM, in total, the app has been downloaded more than 10 million times, while several other productivity apps including password manager AgileBits 1Password also use the SDK.
Dropbox has updated its Android SDK in response, and is urging app developers to update their software as well.