Android SDK Flaw Could Enable Dropbox Data Theft

Researchers at IBM say a flaw in an software development kit (SDK) by Dropbox could cause users to accidentally share data with a malicious actor's Dropbox account.
Researchers at IBM say a flaw in an software development kit (SDK) by Dropbox could cause users to accidentally share data with a malicious actor’s Dropbox account.

In-brief: IBM researchers say they discovered a flaw in an SDK from the cloud storage firm Dropbox that could result in Android users accidentally sending their data to a Dropbox account controlled by a malicious actor.

Researchers at IBM’s X-Force said they discovered a flaw in an SDK from the cloud storage firm Dropbox that could result in Android users accidentally sending their data to a Dropbox account controlled by a malicious actor.

In a blog post on Wednesday, IBM said the vulnerability, CVE-2014-8889, is a “serious flaw in the authentication mechanism within any Android app using a Dropbox SDK.” The vulnerability can be exploited in two ways: using a malicious application installed on the users’ device or remotely using malicious links to drive-by download websites.  Version 1.5.4 through 1.6.1 of the Dropbox SDK for Android contain the vulnerability. Dropbox addressed the issue starting with Version 1.6.2.

[Read more Security Ledger coverage of problems with SDKs.]

The specifics of the vulnerability are complicated. In brief: IBM researches discovered that a malicious actor could insert herself into the process by which a Dropbox user authenticates and authorizes a mobile application to access a Dropbox account. By forcing the mobile browser on an Android device to manipulate a parameter called INTERNAL_WEB_HOST , an attacker can determine which web host the mobile browser surfs to when authenticating to Dropbox. In the process, the SDK exposes a unique value (or “nonce”) used to secure that session, allowing the attacker to bypass the protection provided by the nonce. The end result would be that a Dropbox user may synchronize data from their mobile device to a Dropbox account controlled by the hacker, X-force said.

 

There are some big caveats, however. Any Dropbox user who has installed the Dropbox mobile application for Android would not be vulnerable to such an attack- even if they have not activated that application.

The other key point is that the user’s Dropbox account is never compromised. The danger in any attack would be of the Dropbox user accidentally syncing sensitive information to the Dropbox account controlled by the attacker. In the example cited by IBM, the application 1Password for Android is tricked into syncing with the attacker’s Dropbox account. That could result in an encrypted keyfile being transferred to attackers – who could then work to decrypt it offline and gain access to the passwords stored inside. Other attacks could come through Microsoft’s Office for Android, IBM said.

In an interview with The Security Ledger, Chris Varenhorst and Devdatta Akhawe, security engineers at Dropbox, said that the company addressed the problem in an update to the Android SDK in December. Dropbox has personally notified the 150 top Android developers who use that SDK of the need to update. That represents a “huge portion” of the Android applications out there with Dropbox integrations.

The two said that the vulnerability is limited in scope, given that the “vast majority” of Dropbox users who access their account from an Android device do so through the official Dropbox application. Attackers would need to find an Android user with a Dropbox account, but without the Dropbox for Android application install. They would then need to target an attack on a specific application that they knew was running on the device – say Microsoft office, said Varenhorst.

Still, the company said it appreciated IBM’s research.

“We learn from these vulnerabilities more broadly,” said Akhawe. “Authentication protocols are hard and you really have to get them right.” Dropbox is hiring pen testers to specifically focus on authentication issues, he said.

Spread the word!