Dropbox Repairs Android Security Fault

dropbox

Cloud storage service repairs flaw that could have allowed hackers to capture data via third party apps

Cloud storage provider Dropbox has repaired a ‘minor security vulnerability’ for its Android customers.

The flaw could have allowed hackers to steal information via compromised third-party Android apps.

SDK Flaw

Dropbox revealed the fix in a posting on its Developer Blog website. It said that it had patched “a minor security vulnerability in our Android Core and Sync/Datastore SDKs.”

It asked all app developers to update to the latest version of its software.

The blog posting made it clear that for users to be affected by this vulnerability, customers would have needed to use an affected app on an Android device, and not have the Dropbox for Android app installed.

dropboxThey would have also had to visit a specially-crafted malicious page with their Android web browser targeting that app, or have a malicious app installed on their phone.

“An attacker could then link their Dropbox account to a vulnerable third-party app on the victim’s device,” said the firm. “This would then allow the attacker to capture new data a user saved to Dropbox via the vulnerable app.”

“This vulnerability couldn’t give attackers access to any existing files in a user’s account, and users with the Dropbox app installed on their devices were never vulnerable,” Dropbox stated. “There are no reports or evidence to indicate the vulnerability was ever used to access user data.”

Dropbox credited Roee Hay and Or Peles at IBM for discovering and responsibly disclosing this vulnerability.

“We take user security and privacy very seriously, and we continue to work closely with security researchers to keep our users safe,” said Dropbox.

Responsible Disclosure

The Dropbox comment on how IBM researchers responsibly disclosed the flaw comes after Google’s Project Zero security team ruffled feathers when it went public with a number of flaws with Apple’s Mac OS X operating system and Windows 8.1.

Google previously defended its policy of naming and shaming the companies, after both firms failed to respond with the necessary fixes in a 90 day period. But last month it extended that deadline and promised to offer up to two weeks grace if a vendor notifies it that a patch is in the works.

It should be noted that Dropbox has had previously security scares in the past. For example, it finally added two-factor authentication for its users in August 2012, following a spam scare a month earlier.

How well do you know network security? Try our quiz and find out!