Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Android Software

Flaw In Dropbox SDK For Android Lets Attackers Steal Data Sent To Users' Account 23

An anonymous reader writes: Researchers from IBM's security team have discovered an authentication flaw in the Dropbox Software Development Kit (SDK) for Android that can be exploited to capture new data a user saves to its Dropbox account. The flaw has been extensively documented by the researchers in a blog post, but the things you initially need to know are these: the vulnerability can be exploited if you use an app that uses a Dropbox SDK Version 1.5.4 through 1.6.1 (the latest one is v1.6.3), or if you visit a specially-crafted malicious page with your Android web browser targeting that app, and that's only if you don't have the Dropbox for Android app installed. Also, an attacker can't access the data you have previously stored in your Dropbox account.
This discussion has been archived. No new comments can be posted.

Flaw In Dropbox SDK For Android Lets Attackers Steal Data Sent To Users' Account

Comments Filter:
  • by Anonymous Coward

    Is there a way for Dropbox to block log-in access from apps that have not been updated to the latest SDK?

    This would keep the users safe and put pressure on the app developers to update.

  • by Anonymous Coward

    just like all other 3rd party cloud solutions.

    you're all idiots.

  • They offer something Google Drive doesn't? I only ask because I wonder why anybody would clutter up their phones and tablets with duplicate programs.

  • Block the flaw (Score:4, Informative)

    by graymatter1945 ( 2882751 ) on Wednesday March 11, 2015 @12:11PM (#49234903)
    Install the Dropbox app and block the flaw. "End users (device owners) must update their apps that rely on the SDK and are also encouraged to install the Dropbox app, which makes it impossible to exploit the vulnerability; this is because the vulnerable SDK code is not invoked when the local Dropbox app is installed," IBM researchers noted."
  • funny (Score:2, Insightful)

    by Anonymous Coward

    I discontinued the use of Dropbox right after they announced Condi Rice was joining their board. Someone who rampantly supported the domestic spying initiatives sitting for a company that claims to value user privacy sounds like the punchline of a joke. Now we see stories about the NSA repeatedly trying to insert and exploit vulnerabilities into software and products... suspect? yes.

  • None of them in my opinion based on what I've read.

    • by mrmeval ( 662166 )

      If you' are not encrypting the stuff before they get it. You're a fool.

      I don't see the point when my NAS is available, I use Openvpn and it's trivial to setup securely. Changes are encrypted and stored on that miraculous thing called a server I own that is co-located on a remote island. It is cheap and I only store encrypted backups on it.

      I am taking notes on what else I should do to protect that stuff further. ;)

  • by Anonymous Coward

    That's all you need to know. [dropbox.com]

    Don't use Dropbox.

  • If several people are sharing one account then you've already got problems.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...