It is no secret that the world is now storing private personal and business data in the cloud. The full details of CVE-2014-8889 and the DroppedIn exploit are available via this white paper. The following blog post gives a high-level overview of the vulnerability leveraging a proof-of-concept exploit the IBM X-Force team developed. Additionally, end users (device owners) must update their apps that rely on the SDK and are also encouraged to install the Dropbox app, which makes it impossible to exploit the vulnerability this is because the vulnerable SDK code is not invoked when the local Dropbox app is installed. With a patch solution available, it is highly recommended that developers update their Dropbox SDK library. This undoubtedly shows the company’s commitment to security, this was one of the fastest response times the IBM Security team has seen in its long history of vulnerability research. The response from Dropbox to this security threat was particularly noteworthy as they acknowledged receipt of the disclosure within a mere six minutes, confirmed the vulnerability within 24 hours, and released a patch within just four days. Upon discovery of the vulnerability, the IBM team privately disclosed the issue to Dropbox. It cannot, however, be exploited if the Dropbox app is installed on the device (it does not even need to be configured, just installed). The vulnerability can be exploited in two ways, using a malicious app installed on the user’s device or remotely using drive-by techniques. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1 (note: this vulnerability was resolved in Dropbox SDK for Android v1.6.2). The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim’s knowledge or authorization.
0 kommentar(er)
