Net::Dropbox::API 1.9 and earlier for Perl uses insecure rand() function for cryptographic functions

Vulnerability

Net::Dropbox::API 1.9 and earlier for Perl improperly uses the rand() function as the default source of entropy for cryptographic operations. The module relies on the Data::Random library, which explicitly states it is "Useful mostly for test programs" and itself uses rand(). Perl's built-in rand() is not cryptographically secure; it is seeded with only 32 bits and its output can be predicted [1][2].

Exploitation

An attacker with network access can predict authentication tokens, session IDs, or other secrets generated by the vulnerable module. Because rand() offers low entropy and is seeded with a 32-bit seed, an attacker can enumerate possible seeds or observe outputs to reconstruct the internal state. No special privileges or user interaction beyond normal API usage is required to generate the predictable tokens [1][2].

Impact

Successful exploitation allows an attacker to predict or reproduce tokens used for Dropbox API authentication and authorization. This can lead to unauthorized access to a user's Dropbox account, data disclosure, and potential modification or deletion of files. The impact is a complete compromise of the confidentiality, integrity, and availability of the linked Dropbox data [1].

Mitigation

Not yet disclosed in the available references. Users should avoid using Net::Dropbox::API for security-sensitive purposes until a patched version is released. As a workaround, replace calls to the insecure random generation with a cryptographically secure alternative such as Crypt::URandom or Crypt::PRNG [1][2]. If no update is provided, consider switching to a different Dropbox API module.