Protect cloud file sharing from a man-in-the-cloud attack

Man-in-the-cloud attacks on file sharing services can lead to confidential data leakage. Expert Rob Shapland explains how to mitigate the threat.

The Black Hat conference in Las Vegas is always a good place to hear about some of the latest and greatest security threats, and now that the show is over, we can begin to examine the real-world impact from some of the vulnerabilities that were presented.

One key presentation enterprises should be aware of directly affects a number of cloud file sharing services, such as Dropbox, Box, Google and Microsoft OneDrive.

Dubbed "man in the cloud" by Imperva researchers, the vulnerability exploits cloud applications' use of synchronization tokens. When setting up cloud services on a device, users are given the option of setting up sync folders. These are folders on the device that will automatically synchronize with the central cloud server; so any files placed on either the local device or the cloud service will be synced to all devices that are configured with sync folders. In order for the synchronization process to happen seamlessly and automatically (i.e., without entering a username and password every time), cloud services use tokens unique to that user.

The problem the man-in-the-cloud attack exploits is that these tokens are not tied to a specific device; therefore if a hacker can acquire another user's synchronization token, they can gain access to that user's files without detection and without ever knowing the username and password.

The attack happens in a few stages. First, the attacker needs to be able to trick the victim into opening a malicious file; this is usually achieved by an email phishing attack. Once the file has been run, it will automatically switch out the victim's synchronization token with the attacker's. This means that whenever the sync folder is updated, it will also send all the data to the attacker's device. The malicious file also copies the victim's synchronization token to the sync folder, thereby automatically copying it to the attacker's device. Now that the attacker has the victim's token, it will be possible to configure one of their own devices to the folder in order to receive the victim's files. The token on the victim device is then switched back to its original state.

As the perimeter of organizations' networks becomes less defined and the cloud relied on more, it becomes increasingly difficult to detect and prevent this type of attack.

At this point, the victim is none the wiser that another device has been added to their account and doesn't realize that any files they put in the sync folder will be copied to the attacker's device. It is important to note that this also works vice versa; the attacker can place items in the sync folder and have them propagate to all the other synced devices, allowing them to copy whatever malicious files they choose to the victim's machine.

The potential impact of this is very serious, especially if an organization is using cloud file sharing services to back up confidential data. An attacker could use the attack to access this information and it would be extremely difficult to detect. It should be noted, though, that there is still an initial stage of compromise -- where an attacker must trick an employee into opening a malicious file -- in order to access the synchronization token.

As the perimeter of organizations' networks becomes less defined and the cloud is relied on more, it becomes increasingly difficult to detect and prevent this type of attack. The simple solution to the issue is to be very careful how cloud file sharing services are used and clearly define what is permitted to be stored in the cloud. Enterprises could avoid a man-in-the-cloud attack altogether by not enabling sync folders. The attack can also be stopped at its initial infection point by ensuring staff is educated to not open file attachments or visit suspicious links. There are also control systems that can help too, for example, cloud access security broker services that monitor cloud usage.

In summary, this attack can be considered to a highly effective way of gaining access to an organization's cloud resources. It proves why organizations must carefully consider any cloud functionality allowed on their network, including those automatically enabled in products such as Microsoft Office. All cloud access should be tightly controlled.

About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. Shapland is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.

Next Steps

Learn more about secure enterprise file sharing  and data encryption in the cloud

Uncover what to look for in cloud storage and file-sharing services

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices