March 11, 2015
IBM Corp.s X-Force Application Security Research team has announced the discovery of what its members describe as a severe vulnerability in Dropbox’s software development kit (SDK) used by Android app developers to connect to Dropbox so users can tap into their files via the app.
This vulnerability, dubbed DroppedIn by IBM’s researchers, allows an attacker to connect applications on a user’s mobile device to a Dropbox account that the attacker controls, allowing the hacker to harvest the exfiltrated data.
The biggest app that uses the Dropbox SDK is Microsoft Office Mobile, which according to reports, hosts over 35 billion files on Dropbox for users.
“In fact, Microsoft Office Mobile which likely holds sensitive information has been downloaded more than 10 million times. Additionally, password manager AgileBits 1Password (100,000 downloads) and several productivity and photo editing / sharing tools use the SDK,” IBM said in a statement
“Organizations are turning to the cloud to make their employees jobs easier and their files more accessible. According to a recent IBM study, 90% of security leaders have either adopted cloud or are currently planning cloud initiatives. Cloud storage players like Dropbox are making inroads in the enterprise market which makes this discovery even more critical.
“For example, employees often use file services like Dropbox outside of company IT policies to store and share files. These files could be anything from a PowerPoint presentation to a VC firm asking for funding or numbers on an impending IPO.
Dropbox has updated its Android SDK and encourages app developers to update all applications using it.
IBM Security disclosed the discovery via a blog post on the Security Intelligence blog that went live this morning.