back to article Android SDK nonce flaw lets hackers fiddle with your Dropbox privates

IBM's security team has found an unsettling flaw that can leave the Dropbox accounts of mobile users wide open to snooping by attackers. The researchers spotted some sloppy coding in Dropbox's SDK Version 1.5.4 for Android. Applications that link to Dropbox accounts using the SDK may be vulnerable, owing to a flaw that can …

  1. Anonymous Coward
    Anonymous Coward

    "Users of Microsoft Office Mobile, other apps should update "

    I already updated - by moving everything to MS OneDrive.

  2. Anonymous Coward
    Anonymous Coward

    seriously?

    A crypographic nonce?

    1. MrFrizzle

      I am assuming that this is just a joke and you know what a real nonce is haha

    2. /dev/null
      Headmaster

      Yes, really...

      "for the nonce" (idiomatic) For the time being, with the expectation that the situation may change.

      1922, James Joyce, Ulysses, Episode 16:

      "For the nonce he was rather nonplussed but inasmuch as the duty plainly devolved upon him to take some measures on the subject he pondered suitable ways and means during which Stephen repeatedly yawned."

      (from Wiktionary)

  3. adnim
    Mushroom

    Dont use third parties

    Those with a clue don't need too. One can own and control the server one syncs/dumps/stores data on (just don't use an off the shelf NAS or ISP owned cheapo router).

    Consumers have no choice and consumers are most likely to not have understanding of what any of this means... Oooo that's easy I don't have to think. Here ya go take care of my privates.

    And guess what, those that are making money from selling broken systems don't really give a shit providing the lawyers draft a EULA that admonishes them of responsibility

    1. dajames
      Headmaster

      Re: Dont use third parties

      ... those that are making money from selling broken systems don't really give a shit providing the lawyers draft a EULA that admonishes them of responsibility

      I think perhaps the word you were scrabbling for is "absolves"?

      1. Anonymous Coward
        Anonymous Coward

        Re: Dont use third parties

        Perhaps he's one of those who don't have a clue who he was disparaging. About the English language, in his case.

      2. adnim

        Re: Dont use third parties

        yes

        1. adnim

          Re: Dont use third parties

          yes

          Not so much scrabbling as trying to do too many things my tiny mind could cope with at once.

          Just like those that promise.... the thing you pay for and just don't get.

          The fact remains broken English aside I think I am right. Or does it please you to put your privates in the hands of someone you don't even know let alone trust? The consumer has no clue I really thought readers of The Register would. Perhaps I was down voted by pedants or cloud service providers

  4. Lallabalalla
    Gimp

    sloppy coding in Dropbox's SDK Version 1.5.4 for Android

    So, iOS not affected.

    Open is better though, right?

    1. Indolent Wretch

      Re: sloppy coding in Dropbox's SDK Version 1.5.4 for Android

      Yes, open is better.

      The fact is, according to the article, that IBM have found a flaw in some code written by Dropbox for Android.

      What we don't know is....

      a) is the flaw also in the iOS SDK written by dropbox? It's hard to tell because the article doesn't seem to link to the research.

      What we do know is....

      b) The articles title was written with great care to suggest it was Android/Google who'd screwed up and let hackers get to your Dropbox data when it seems it was Dropbox themselves that did this.

      c) This was also done by putting the word Android pretty much as close as possible to a word which in the UK means child molester.

      What we can speculate is....

      d) if Dropbox are sensible and the SDK code is as shared as much as possible between different platforms then there is a high chance all are suspect.

      e) if the SDK code isn't as shared as possible then Dropbox are idiots.

      What is blindingly obvious...

      f) this has got absolutely NOTHING to do with open source.

  5. dajames
    WTF?

    Android SDK nonce flaw?

    Shirley, you mean Dropbox SDK for Android nonce flaw?

  6. Tom Chiverton 1

    "The user must also have visited a malicious website or installed a malicious app "

    Nothing to see here, move along...

  7. tony2heads

    patch in 4 days

    That is the truly remarkable bit of this story

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like