We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.

Forum Discussion

LockDroid's avatar
LockDroid
Explorer | Level 3
2 years ago

Dropbox Passcode Vulnerability Report

I have identified some potential security vulnerability while using Dropbox. I believe this issue may pose a risk to the protection of user data, and I would like to promptly share my findings with you to help enhance the security of Dropbox.

 

Vulnerability Description:

Dropbox implements a Passcode mechanism to lock the app, but I find the Passcode fails to be invoked when some activities are resumed. Vulnerable Activities are listed as follows.

ID    Activity

1      GroupedPhotoPreviewActivity

2     BulkRenameActivity

The detailed instructions for triggering the vulnerability are provided in the attachment.

 

These vulnerabilities may pose a risk of sensitive data leakage. As you can see from the attachment, some privacy user data, such as personal photos, are clearly displayed on the screen without passcode protection.

 

I hope this issue can be investigated and addressed as soon as possible to improve the application's security and protect user data. Please contact me for more details or any assistance needed to confirm this vulnerability.

I look forward to your prompt response!

 

Attachment:

Take GroupedPhotoPreviewActivity as an example:

The middle page is GroupedPhotoPreviewActivity.

when Dropbox goes to the background (❶) and then is awakened, this activity is switched to be running (❷). Unfortunately, the interface lock is not triggered when this activity is resumed.

While navigating to other interfaces activates the interface lock (❸), this particular interface allows direct access to private photos stored within the cloud drive.

 

  • Walter's avatar
    Walter
    Icon for Dropbox Staff rankDropbox Staff

    Hey LockDroid - thanks for flagging this with us.

     

    I've passed your feedback on to the team - let us know if you have anything else to add. 

     

    Cheers!

    • LockDroid's avatar
      LockDroid
      Explorer | Level 3

      Hi, Thanks for your reply! But the bug still exists. Can I know something more? Look forward to your reply!

      • Nancy's avatar
        Nancy
        Icon for Dropbox Staff rankDropbox Staff

        Hey LockDroid, hope you’re doing well. 

         

        What I’d suggest is to report this here instead. 

         

        If you haven’t already, please have a look at this Help Center article, too.

About Security and Permissions

Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.

Need more support

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!