Android SDK nonce flaw lets hackers fiddle with your Dropbox privates
Users of Microsoft Office Mobile, other apps should update
IBM's security team has found an unsettling flaw that can leave the Dropbox accounts of mobile users wide open to snooping by attackers.
The researchers spotted some sloppy coding in Dropbox's SDK Version 1.5.4 for Android. Applications that link to Dropbox accounts using the SDK may be vulnerable, owing to a flaw that can allow an attacker to bypass the normal authentication mechanism and gain full access.
Dropbox uses the OAuth protocol to link apps to its accounts. This involves creating a large, random number called a cryptographic nonce that's used to authorize an app to get data from an account.
Vulnerable apps allow an attacker to steal this nonce and use it to get into the corresponding Dropbox account. At that point, the attacker can capture any new data the owner saves to the account.
Of the 41 apps that can link to Dropbox that Big Blue tested, 76 per cent were vulnerable to the attack developed by IBM, known as DroppedIn. These included Microsoft Office Mobile, which currently has over ten million downloads, and the popular password manager 1Password.
There are limitations to the attack. It only works if the Android user is accessing a Dropbox account using a vulnerable app – and because app designs vary, not every app built with the affected SDK version is vulnerable. The user must also have visited a malicious website or installed a malicious app to have fallen prey to the exploit. And if the official Dropbox app is installed on a device, the exploit doesn't work at all.
What's more, the exploit doesn't give the attacker access to any files saved to Dropbox before the Android device was compromised. Only data saved after the attack has been successful can be snooped.
While these issues make the Dropbox exploit unsuitable for mass data slurping, the flaw would be very handy for a targeted attack against a high-value target when coupled with some canny social engineering and a bit of compute power.
"Dropbox's response to this security threat was particularly noteworthy," IBM said. "We reported the issue to Dropbox, which acknowledged receipt after a mere six minutes. Less than 24 hours after the disclosure, Dropbox responded with a confirmation of the vulnerability, and a patch was issued only four days after the private disclosure."
The current release of the Dropbox SDK, version 1.6.3 is no longer vulnerable. Dropbox also contacted its developers many of the applications that use it have also been patched.
But there may yet be a pool of users out there who are lazy about updating their applications and who could be at risk – especially now that the vulnerability has been made public.
"There are no reports or evidence to indicate the vulnerability was ever used to access user data," said Dropbox security engineer Devdatta Akhawe in a blog post.
"We want to thank Roee Hay and Or Peles at IBM for discovering and responsibly disclosing this vulnerability. We take user security and privacy very seriously, and we continue to work closely with security researchers to keep our users safe." ®