With a patch solution available, it is highly recommended that developers update their Dropbox SDK library. This undoubtedly shows the company’s commitment to security, this was one of the fastest response times the IBM Security team has seen in its long history of vulnerability research. The response from Dropbox to this security threat was particularly noteworthy as they acknowledged receipt of the disclosure within a mere six minutes, confirmed the vulnerability within 24 hours, and released a patch within just four days.
Upon discovery of the vulnerability, the IBM team privately disclosed the issue to Dropbox. It cannot, however, be exploited if the Dropbox app is installed on the device (it does not even need to be configured, just installed). The vulnerability can be exploited in two ways, using a malicious app installed on the user’s device or remotely using drive-by techniques. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1 (note: this vulnerability was resolved in Dropbox SDK for Android v1.6.2).
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim’s knowledge or authorization.
0 kommentar(er)
