IBM discovers Dropbox vulnerability leaving millions of users exposed

Security vulnerabilities are nothing new and as enterprises move to cloud they will need to deal with a world of API's and SDK's.

With this new world comes a whole new range of security risks around code that can often go unnoticed. As a result, the risk of security flaws affecting even the most security conscious enterprise is rising rapidly to the point where it is not likely but inevitable that it will happen.

Once you accept this is going to happen, part of the risk assessment when taking on a cloud-based service or application should be "how fast do they deal with flaws or breaches?" This brings us to the IBM/Dropbox situation.

IBM has discovered a flaw in the Dropbox SDK that they are calling DroppedIn. It allows attackers to connect to any applications on mobile devices that rely on the SDK to connect to a Dropbox account. One such application mentioned in the press release is Microsoft Office Mobile. It is the biggest app using the Dropbox SDK and there have been more than 10 million downloads of the application.

DroppedIn allows cybercriminals to upload/download files to/from the attackers Dropbox account and the local app. With cloud file sharing services now in use by users from almost every company, this puts a lot of sensitive and personal data in reach of cybercriminals. Importantly, this is not just about data theft. This is a major opportunity to put files containing malicious code onto the local drive of a user potentially infecting them and others. This is a complete backdoor to the enterprise.

IBM has been quick to praise Dropbox, saying:

  • Dropbox has done everything possible to rectify this issue as soon as they were made aware of it by our research team – they’ve demonstrated through action their commitment to the security of their end users. Less than 24 hours after IBM Security disclosed Dropbox of the vulnerability they responded with a confirmation of the vulnerability, and Dropbox issued a patch within just 4 days from when they were disclosed.
  • Microsoft and Agilebits have both updated their apps with the latest SDK to protect their users.
  • The full details of the DoppedIn attack are given in a video and a blog post from Roee Hay and they not only give more information but list the steps that the attack takes to compromise data. There are also three short case studies in the blog post that show how effective the attack can be.

One of the challenges now will be Dropbox getting its entire partner ecosystem to rewrite their applications and push updates to customers.

The other challenge is getting people to apply the updates. This is not a trivial matter and it will be interesting to see if Dropbox deploys code onto their site to detect if the client connecting to the service has been updated. If so, they can simply inform the user to seek an updated version of their app from the third party.

It will take time for this whole situation to play out and in that time we will inevitably see stories of Dropbox being hacked and users losing data. While Dropbox have done the right thing, this does open up the problem of third-party access to applications and data.

Both Yahoo and Apple have been caught up in stories in recent months where the breach was not through hackers attacking them directly but exploiting code against third parties who had access to their cloud environment. Dropbox will be keen to prevent this happening.

The US PR agency for Dropbox has been quick to respond. They have pointed out that this exploited was detected and patched months ago although they didn't give a date. While they also point out that Dropbox has worked with users of its SDK to patch their applications and that the "majority" had done so, this is still a live exploit as not all developers have patched and Dropbox has no way of proving how many users have actually applied the update.

As a result, we stand by our statement that it will take time for this exploit to play out fully even though the agency has asked us to remove it.

They also too the opportunity to say that they have no indications of the exploit being used to date although the fact that IBM has now published the details does raise the likelihood for an attack to happen.

As the agency statement accepts that not all developers have updated their code, this means that users are still at risk. As pointed out in the article, it is inevitable that Dropbox will get the blame for attacks that come through third parties using their SDK as has happened to other vendors in the last year.