DroppedIn Vuln Links Victims Androids To Attackers DropBoxes

DropBox released a patch quick, but unpatched vulnerable Android apps that use the DropBox SDK may let attackers open up a two-way highway between victim Droids and their own Boxes.

Researchers at IBM X-Force have discovered a vulnerability in the DropBox software development kit (SDK) for Android that allows attackers to connect a victims Android apps to an attackers own DropBox account. The DroppedIn vulnerability affects any Android app developed with the DropBox SDK versions 1.5.4 through 1.6.1.
The flaw is in the implementation of the authentication mechanism used to give the app access to DropBox. Its supposed to work like this: while the user is providing their username-password combo to log in, the SDK is generating a large random number (a cryptographic nonce) to authenticate the device to DropBox. The trouble is, the proof-of-concept exploit the researchers have created lets attackers insert an arbitrary access token into the SDK, completely bypassing the nonce protection, as they explain.
A victim could either be tricked into downloading a malicious app or infected via drive-by download. Either way, once the device is infected, the attacker has an open path from the victims Droid to the attackers DropBox -- through which the attacker could steal sensitive personal data and files from the device. This access would also go in the opposite direction -- the attacker could push out their own DropBox files, including malware.
To clarify, this exploit would
not
be a problem for the DropBox documents a user adds from their desktop machine, just files and data residing on their Android device.
Fortunately, DropBox has already released a patch -- just four days after they learned of the vulnerability. Plus, if the DropBox app is installed on the users Android device, then the SDK vulnerability cannot be exploited anyway.
The trouble, of course, is that average users who dont use the DropBox app might assume theyre not vulnerable. According to IBM X-Force, 1.4 percent of the top 500 Android apps use the DropBox SDK, including Microsoft Office Mobile and Agile Bits 1Password.
Mobile malware is a growing problem, especially for Android. In a separate report released this week, Veracode found that the average global enterprise has approximately 2,400 unsafe applications in its mobile environment.
Of the unsafe apps Veracode studied, 85 percent expose sensitive device data, 35 percent obtain or share personal information about the user, and 37 perform suspicious security actions, such as checking to see if the device is rooted or jailbroken, allowing applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords.
“On average, 3 percent of apps on employee devices are malicious, says Veracode vice-president of mobile Theodora Titonis. She is a bit surprised to find that 35 percent of apps were sharing personal information of the user. “That number is increasing.”

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DroppedIn Vuln Links Victims Androids To Attackers DropBoxes