Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw In Dropbox SDK For Android Lets Attackers Steal Data Sent To Users' Account

Posted by Soulskill on from the many-points-of-failure dept.

An anonymous reader writes: Researchers from IBM's security team have discovered an authentication flaw in the Dropbox Software Development Kit (SDK) for Android that can be exploited to capture new data a user saves to its Dropbox account. The flaw has been extensively documented by the researchers in a blog post, but the things you initially need to know are these: the vulnerability can be exploited if you use an app that uses a Dropbox SDK Version 1.5.4 through 1.6.1 (the latest one is v1.6.3), or if you visit a specially-crafted malicious page with your Android web browser targeting that app, and that's only if you don't have the Dropbox for Android app installed. Also, an attacker can't access the data you have previously stored in your Dropbox account.

2 of 23 comments (clear)

  1. Block the flaw by graymatter1945 · · Score: 4, Informative

    Install the Dropbox app and block the flaw. "End users (device owners) must update their apps that rely on the SDK and are also encouraged to install the Dropbox app, which makes it impossible to exploit the vulnerability; this is because the vulnerable SDK code is not invoked when the local Dropbox app is installed," IBM researchers noted."

  2. Condolezza Rice is on the Dropbox board by Anonymous Coward · · Score: 2, Informative

    That's all you need to know.

    Don't use Dropbox.