Dropbox, Box vulnerable to Man-In-The-Cloud Attack
At last week’s annual Black Hat conference, the security firm Imperva said they’d found a 'side door' vulnerability in several file sync and share apps.
12 August 2015
At last week’s annual Black Hat conference, the security firm Imperva said they’d found a 'side door' vulnerability in several file sync and share apps including Dropbox, Box, OneDrive, and Google Drive.
According to their report, malicious actors could gain access to content stored in one of these systems without even needing a user name & password, that it would be nearly impossible for the account owner to know they had done so, and that the only way to stop the intrusion may be to close the whole account. Scary stuff. How are they doing this?
The fault lies in the synchronization process. When a system like Dropbox or Box tries to sync files across a user’s devices, it uses a unique token, or small file, to identify itself and gain access to stored documents. Tokens make it possible to keep files synced without repeatedly asking the user to login and identify themselves.
Using tokens is usually safe and efficient, provided some precautions are taken. For example, to protect users in the event a token is somehow stolen, the token needs to be device dependent — that is, it will only work with a specific device, so that in the hands of a thief, it won’t work on their systems. This is how we’ve engineered products at Intralinks, such as Intralinks VIA®, and it means we’re not susceptible to the issue Imperva identified.
Unfortunately, most consumer file sharing apps like Dropbox and Box have device independent tokens, so once a token is lost documents can be taken at will, without the owner ever knowing.
The Imperva story highlights another issue with data security: the need to educate users. The vulnerability Imperva uncovered depends on someone gaining access to a user’s system and the token file, and the most likely way for this to happen is through phishing or some other form of social engineering. By far the best defense against phishing expeditions is to sensitize employees to the risks, but technology can definitely help. This is one reason we’ve included plugin-free information rights management into our platform — it means that even after a file has been lost, users can retract access in real-time, with the click of a button.
For true enterprise-grade collaboration and file sharing, security needs to be a top priority, not a token gesture.
Todd Partridge is Vice President, Product Marketing at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management, and enterprise records management practices. In his previous role at OpenText, Todd held several global positions ranging from sales, marketing, product management, positioning and strategy.