The CVE-2014-8889 vulnerability lets adversaries insert an arbitrary access token into the Dropbox SDK, completely bypassing the nonce protection. protected void onCreate(Bundle savedInstanceState) { ... Intent intent = getIntent(); ... webHost = intent.getStringExtra(EXTRA_INTERNAL_WEB_HOST); if (null == webHost) { webHost = DEFAULT_WEB_HOST; } ... } protected void onResume() { ... String state = createStateNonce(); ... if (hasDropboxApp(officialIntent)) { startActivity(officialIntent); } else { startWebAuth(state); } ... authStateNonce = state; } private void startWebAuth(String state) { String path = "/connect"; Locale locale = Locale.getDefault(); String[] params = { "locale", locale.getLanguage()+"_"+locale.getCountry(), "k", appKey, "s", getConsumerSig(), "api", apiType, "state", state}; String url = RESTUtility.buildURL(webHost, DropboxAPI.VERSION, path, params); Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url)); startActivity(intent); } This code belongs to the Activity that is responsible for the Dropbox authentication. It consumes various Intent extra parameters. Since the browser can invoke this Activity, it can be launched by both malware and malicious websites with an arbitrary Intent payload. Therefore, special care must be taken when consuming this Intent's payload. Consumption of a particular Intent extra parameter, named INTERNAL_WEB_HOST, has devastating results. When the browser is used (i.e., the Dropbox app is not installed) to authenticate the user and authorize the app to access the user's Dropbox account, this parameter eventually controls the host that the browser surfs to. If the attacker can generate an Intent targeting the activity, with INTERNAL_WEB_HOST pointing to his or her server, the authentication process will take place with the nonce sent to the attacker.