Attackers Can Access Dropbox, Google Drive, OneDrive Accounts Without the User's Password
A report by Imperva shows how an attacker could easily get their grubby hands on cloud storage and synchronization accounts, without even needing the user's password, and use them in their illicit activities.
The research paper details a new technique called MITC (Man in the Cloud), which allows attackers to intrude popular cloud storage services like Box, Dropbox, Google Drive, and OneDrive.
MITC attacks don't rely on vulnerabilities in the syncing applications themselves, nor on security holes in the cloud storage server, but act on a design flaw.
Because of the way these services were built, not requiring a password every time a file is synced, a token is used instead to authorize these operations without constantly hampering the user.
This token is stored on each of the devices a user connects to their cloud storage device, and even if encrypted, it can be broken into and stolen by attackers.
MITC could be one of the most effective ways of delivering malware and ransomware
With new tokens added to their arsenal, an attacker could then add them to their own PC or automated scripts, and have access to compromised accounts, which they can utilize in various ways.
An attacker would have nothing standing in their way from stealing files from corrupted accounts, altering existing files, and infecting the user with malware or ransomware, effectively locking the user out of their own files.
According to Imperva researchers, more worrying is the fact that these tokens will work in some cases even after a password change (Dropbox and Box), and to remove an attacker's entry point, a user needs to remove connected devices, or in some extreme cases, cancel their cloud storage account altogether and open a new one.
The Imperva team concludes that "while testing our concepts in the lab, we found some evidence that these types of attacks are already occurring in the wild (for example, as mentioned in 'The Inception Framework')."
For those interested, the same paper will be presented at the Black Hat USA 2015 conference that's going on these days.