Flaw In Dropbox SDK For Android Lets Attackers Steal Data Sent To Users' Account

An anonymous reader writes: Researchers from IBM's security team have discovered an authentication flaw in the Dropbox Software Development Kit (SDK) for Android that can be exploited to capture new data a user saves to its Dropbox account. The flaw has been extensively documented by the researchers in a blog post, but the things you initially need to know are these: the vulnerability can be exploited if you use an app that uses a Dropbox SDK Version 1.5.4 through 1.6.1 (the latest one is v1.6.3), or if you visit a specially-crafted malicious page with your Android web browser targeting that app, and that's only if you don't have the Dropbox for Android app installed. Also, an attacker can't access the data you have previously stored in your Dropbox account.

The NSA OWNS Android SDK

It does!

Dropbox going to cut-off insecure apps?

Is there a way for Dropbox to block log-in access from apps that have not been updated to the latest SDK?

This would keep the users safe and put pressure on the app developers to update.

dropbox is run by retards

just like all other 3rd party cloud solutions.

you're all idiots.

Re:dropbox is run by retards

You got it wrong, sir. Its users are the severely mentally chanllenged - when in the asylum you only need be a little brighter, or as I used to say after I wearied, "Man, don't arrange to have me sent to no asylum; I'm just as sane as anyone; it's a just a game I play for fun - FOR FUN!"

Now I come here. Self-committed.

Dropbox

[fustakrakich]

They offer something Google Drive doesn't? I only ask because I wonder why anybody would clutter up their phones and tablets with duplicate programs.

Re:Dropbox

If you have a lot of files on Dropbox, I doubt you could access them using the Google Drive app. So I don't think this one counts as a "duplicate program"...

Re:Dropbox

They offer something Google Drive doesn't?

Yeah, they're not Google.
To some people, that's a selling point.

Re:Dropbox

[DigitalPagan]

They offer something Google Drive doesn't?

Linux support.

Re:Dropbox

For a long time, Drive wouldn't auto-upload you photos. That's why I have dropbox, and now that I have so many devices linked to it, the inertia means I'm not going to switch to Drive quickly.

Block the flaw

[graymatter1945]

Install the Dropbox app and block the flaw. "End users (device owners) must update their apps that rely on the SDK and are also encouraged to install the Dropbox app, which makes it impossible to exploit the vulnerability; this is because the vulnerable SDK code is not invoked when the local Dropbox app is installed," IBM researchers noted."

funny

I discontinued the use of Dropbox right after they announced Condi Rice was joining their board. Someone who rampantly supported the domestic spying initiatives sitting for a company that claims to value user privacy sounds like the punchline of a joke. Now we see stories about the NSA repeatedly trying to insert and exploit vulnerabilities into software and products... suspect? yes.

Re: funny

This is SO true

So what online storage is safe?

[BoRegardless]

None of them in my opinion based on what I've read.

Re:So what online storage is safe?

SpiderOak

https://spideroak.com/

Re:So what online storage is safe?

[mrmeval]

If you' are not encrypting the stuff before they get it. You're a fool.

I don't see the point when my NAS is available, I use Openvpn and it's trivial to setup securely. Changes are encrypted and stored on that miraculous thing called a server I own that is co-located on a remote island. It is cheap and I only store encrypted backups on it.

I am taking notes on what else I should do to protect that stuff further. ;)

Re:So what online storage is safe?

Tresorit (.com) is good too.

Condolezza Rice is on the Dropbox board

That's all you need to know.

Don't use Dropbox.

Re:Condolezza Rice is on the Dropbox board

And what? Better the Devil you know. Do you know who the major shareholders in facebook are?

Full of flaws

Dropbox has a proven track records of bad security. I use it but only through the web interface (no apps) and I always assume that the data I put there is open to the public.

Users' Account

[edittard]

If several people are sharing one account then you've already got problems.

Why would I use anything Except Dropbox

Come on folks. It's bad enough that I actually find dropbox useful but to use anything except Dropbox itself (they've got an android version) to access my files is shere stupidity. Everytime we turn around, we're reminded not so share our PW to Dropbox, Amazon, Newegg, Netflix and anyone else then they offer a stupid SDK that has a flaw? What in hell were the Dropbox devs thinking?

Dropbox does file dedup; hence it's insecure

They can access all your files in order to dedupe with other users' files. That means the TLAs can all access them as well. I stopped using DropBox once I understood the implications.

Buy a NAS, set up backintime on Linux or something and stay away from corporate clouds.

Huh?

Does anyone else not understand wtf this means exactly:

...the things you initially need to know are these:
the vulnerability can be exploited if you use an app that uses a Dropbox SDK..., or
if you visit a specially-crafted malicious page with your Android web browser targeting that app, and
that's only if you don't have the Dropbox for Android app installed

My emphasis. I use YNAB for budgeting, which only supports Dropbox. So, am I safe if I install the Dropbox Android app?