Dropbox Fixes Exploitable Vulnerability

Share on FacebookTweet about this on TwitterShare on Google+Share on RedditShare on LinkedInPrint this pageEmail this to someone

Updated: 3/13/2015 (1:35PM EDT) to address specifics of the vulnerability and clarify that at no point did the attacker ever have access to user’s existing Dropbox account or files.

Developers at Dropbox recently managed to fix a serious security glitch in their Android SDK version. Under a set of very specific circumstances, an attacker could link their Dropbox account to compromised third party apps on the victim’s Android device which would allow the attacker to capture new data a user saved to Dropbox. This flaw would not allow an attacker to access a user’s existing Dropbox account or files. Security searchers at the International Business Machines Corp (NYSE:IBM) discovered the flaw.

IBM’s Roee Hay, who leads the X-Force security research team, wrote in a blog post detailing how they discovered the vulnerability in Dropbox’s SDK authentication mechanism. The flaw could be exploited by hackers to steal information from the app that uses the faulty SDK. Hay noted that it could be achieved through malware, or what is called drive-by exploitation.

How it could happen

However, in order for hackers to be successful in the Android SDK version breach, they needed to first obtain an access token. The hackers also needed to trick the victim to a malicious site and then leak the victim’s information to their own servers. Afterwards, the hackers could impersonate the authentic user of the vulnerable SDK and upload their malicious token to the targeted app.

Quick response

According to the International Business Machines Corp (NYSE:IBM)’s security team that identified the flaw, Dropbox responded quickly to fix the problem. Dropbox was able to acknowledge the existence of the vulnerability in just four minutes and issued a confirmation within 24 hours. The cloud storage company eventually fixed the security glitch in four days.

To stay safe from potential attacks, users of the SDK are encouraged to get the latest updated version that has the fix.

In the face of widespread security breaches, Facebook Inc (NASDAQ:FB) recently came up with a security collaboration feature known as ThreatExchange to allow companies to beat threats to their systems. Under ThreatExchange, companies can share information about threats to their systems by uploading details to the hub and letting other companies learn about the new threats. That enables companies that have not already been hit to move fast and implement the necessary security measures to stay safe.

Neha Gupta

Neha Gupta has been in the financial space for over six years now. Gupta earned her MBA degree from Symbiosis Centre of Distance Learning in 2009 and her passion for finance led her to pursue Chartered Financial Analyst (CFA) course. She has successfully completed Level II of her CFA. She is a veteran in article writing, which is depicted in her numerous pieces published on SeekingAlpha, Nextiphonenews, InsiderMonkey, MarketWatch, and Techinsider. Her crisp and eloquent writing finds its best place in Researchcows, where emphasis is given on developing rich content for various websites, products, business plans, trainings, and book writing.

You may also like...

More in FB
Facebook Inc (NASDAQ:FB)
Class Action Lawsuit Against Facebook Inc (FB) For Allowing Unauthorized Minor Purchases

Facebook Inc (NASDAQ:FB) will face a class action lawsuit nationwide, for allowing unauthorized minor purchases, a federal judge said. Plaintiffs in...

Close