CATEGORIES
home News

IBM Researchers Discover Malicious ‘DroppedIn Exploit’ In Dropbox For Android SDK

by Rob WilliamsThursday, March 12, 2015, 02:30 PM EDT

IBM's X-Force Application Security Research Team has discovered a severe bug that plagues the Dropbox SDK on Android, which apps can use to interact with the cloud storage service. Dubbed 'DroppedIn', unauthorized apps have been able to access a rogue Dropbox account, potentially allowing an attacker to grab data off of your device for their later perusal.

The bug affects SDK version 1.5.4 through 1.6.1, and has been fixed as of 1.6.2. As serious as this bug is, it's nice to know that Dropbox wasted no time in fixing it. Security Intelligence notes that Dropbox responded to IBM's email about the bug within six minutes, and it confirmed the vulnerability within 24 hours. Finally, it patched the bug and rolled out a new version of the API a mere four days later. I am thinking that Microsoft might want to start taking after Dropbox when it comes to issuing these fixes!

Unfortunately, the SDK isn't a component that a user can update themselves; it needs to be updated by the developer of the app that implements it. But that said, if you happen to have the official Dropbox app installed - even if it's never been opened - it renders this bug useless, as at that point, any Dropbox interaction will require that app and proper authentication to function.

Sign into Dropbox

According to app-tracking site AppBrain, an impressive 0.31% of the apps it tracks use the Dropbox API. Nowadays, even some games make use of the API for sharing of certain game data, and a game emulator I use actually allows you to save your progress straight to a Dropbox account (extremely useful when you move from device to device).

While the prospect of what this bug could allow is a little scary, there's actually been no proof up to this point that it's been exploited by anyone. IBM, and its research team, could have prevented the opposite from being true. Still, if you use any Android apps that utilize Dropbox and you don't have the official Dropbox app installed, you'd do well to make sure that those apps are up-to-date.

I should note, though, that chances are good that you're already protected well from this bug. While the bug was fixed in API version 1.6.2, 1.6.3 came out in the second week of January. IBM clearly wanted to wait a little bit before exposing this bug, to make sure everyone would be safe. Good guy, IBM.

Tags:  IBM, security, exploit, Dropbox, nyse:ibm
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment