Number: IRCNE2015032442
Date: 2015/03/14
According to “zdnet”, Dropbox has patched a security flaw which allowed cyberattackers to steal new information uploaded to accounts through compromised third-party apps on Android devices.
The company announced the fix through the Dropbox Developer Blog on Wednesday. Dropbox, a firm which caters for over 300 million users and offers cloud-based file storage, said a minor security vulnerability in Android Core and Sync/Datastore SDKs was patched a few months ago.
Dropbox's Android Core and Sync/Datastore software development kits are issued to developers working on third-party apps which work with Dropbox services. The company says that most third-party apps now have updated Android SDKs, but requests that remaining Android developers update their apps to use Core API Android SDK v1.6.3 or Sync/Datastore Android SDK v3.1.2.
For the security vulnerability to impact users, a compromised third-party app would have to be installed on an Android device -- but not have the Dropbox for Android app installed -- and the user would need to visit a specific type of malicious web page targeting the vulnerable app. A cyberattacker would then be able to link their Dropbox account to the third-party app, which then could be used to capture new data a user saved to Dropbox via the third-party application.
"Every app works differently, so many apps using the affected SDKs weren't vulnerable at all or required additional factors to exploit. This vulnerability couldn't give attackers access to any existing files in a user's account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data," Dropbox says.
Researchers at IBM, Roee Hay and Or Peles, were first to detect and disclose this vulnerability.
- 2