Dropbox fixes security flaw ‘DroppedIn’


Dropbox has claimed to have fixed a security flaw, which might have otherwise let hackers exploit users’ data stored via the cloud storage service’s Android app using compromised third-party apps.

The vulnerability in Dropbox SDK, dubbed ‘DroppedIn’, was initially discovered by IBM’s X- Force Application Security Research Team.

Through a blog post on its Developer Blog website on Tuesday, Dropbox revealed that it had patched “a minor security vulnerability in our Android Core and Sync/Datastore SDKs.”

Dropbox said the issue doesn’t appear to have been exploited by hackers to access data, and that most of the popular apps using its SDK have been patched. Furthermore, it has asked all app developers to update to the latest version of its software.

The company noted that for the security flaw to impact users, a compromised third-party app would have to be installed on an Android device and not the Dropbox for Android app installed. The user would need to visit a specific type of malicious web page with their Android web browser targeting that app, or have a malicious app installed on their phone. Only then a cyberattacker could link their Dropbox account to the third-party app, which then could be used to capture new data a user saved to Dropbox via the third-party application.

“Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit. This vulnerability couldn’t give attackers access to any existing files in a user’s account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data,” Dropbox’s blog post read.

The cloud storage company credited IBM’s Roee Hay and Or Peles for discovering and responsibly disclosing this vulnerability.

“We take user security and privacy very seriously, and we continue to work closely with security researchers to keep our users safe,” said Dropbox.