Authentication Bypass in Dropbox Android Application
CVE-2018-12445

3.1LOW

Key Information:

Vendor: Dropbox
Status: Dropbox
Vendor: CVE Published:; 20 June 2018

What is CVE-2018-12445?

A security flaw in the Dropbox Android application version 98.2.2 allows an attacker to bypass biometric authentication due to improper handling of the FingerprintManager class. The application incorrectly transitions from the onAuthenticationFailed callback to onAuthenticationSucceeded when null values are passed, potentially enabling unauthorized users to authenticate with any fingerprint. While the vendor has noted that this vulnerability is not relevant to their threat model for rooted Android devices, it raises important concerns regarding biometric security implementation in mobile applications.

References

https://gist.github.com/tanprathan/0b63b1868307c732190c2a...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2018
Vulnerability Reserved
Jun 15, 2018

JSON