CVE-2018-12445

Name of the Vulnerable Software and Affected Versions com.dropbox.android version 98.2.2

Description An issue in the com.dropbox.android application allows authentication bypass through the FingerprintManager class for Biometric validation. This is possible because the fingerprint API, in conjunction with the Android keyGenerator class, is not properly implemented, enabling an attacker to authenticate with an arbitrary fingerprint. The vendor notes that this issue is not considered a threat within their threat model, specifically excluding Android devices that have been rooted.

Recommendations For version 98.2.2, consider disabling the FingerprintManager class for Biometric validation until a proper fix is implemented to prevent authentication bypass. Restrict access to the fingerprint API to minimize the risk of exploitation. Avoid using the fingerprint authentication method in the affected application until the issue is resolved.