Dropbox Fixes Exploitable Vulnerability
Updated: 3/13/2015 (1:35PM EDT) to address specifics of the vulnerability and clarify that at no point did the attacker ever have access to user’s existing Dropbox account or files.
Developers at Dropbox recently managed to fix a serious security glitch in their Android SDK version. Under a set of very specific circumstances, an attacker could link their Dropbox account to compromised third party apps on the victim’s Android device which would allow the attacker to capture new data a user saved to Dropbox. This flaw would not allow an attacker to access a user’s existing Dropbox account or files. Security searchers at the International Business Machines Corp (NYSE:IBM) discovered the flaw.
IBM’s Roee Hay, who leads the X-Force security research team, wrote in a blog post detailing how they discovered the vulnerability in Dropbox’s SDK authentication mechanism. The flaw could be exploited by hackers to steal information from the app that uses the faulty SDK. Hay noted that it could be achieved through malware, or what is called drive-by exploitation.
How it could happen
However, in order for hackers to be successful in the Android SDK version breach, they needed to first obtain an access token. The hackers also needed to trick the victim to a malicious site and then leak the victim’s information to their own servers. Afterwards, the hackers could impersonate the authentic user of the vulnerable SDK and upload their malicious token to the targeted app.
According to the International Business Machines Corp (NYSE:IBM)’s security team that identified the flaw, Dropbox responded quickly to fix the problem. Dropbox was able to acknowledge the existence of the vulnerability in just four minutes and issued a confirmation within 24 hours. The cloud storage company eventually fixed the security glitch in four days.
To stay safe from potential attacks, users of the SDK are encouraged to get the latest updated version that has the fix.
In the face of widespread security breaches, Facebook Inc (NASDAQ:FB) recently came up with a security collaboration feature known as ThreatExchange to allow companies to beat threats to their systems. Under ThreatExchange, companies can share information about threats to their systems by uploading details to the hub and letting other companies learn about the new threats. That enables companies that have not already been hit to move fast and implement the necessary security measures to stay safe.
Latest posts by Neha Gupta (see all)
- Is Facebook Inc (NASDAQ:FB) Winning Or Losing In Virtual Reality Space? - May 27, 2016 07:35 AM PDT
- No Growth In Costco Wholesale Corporation (NASDAQ:COST)’s 3Q Comps Explained - May 27, 2016 07:34 AM PDT
- How Will International Business Machines Corp. (NYSE:IBM)’s Big Data University Help? - May 27, 2016 07:33 AM PDT