We’ve heard of man-in-the-middle and man-in-the-browser attacks. But Imperva researchers have now uncovered man-in-the-cloud attacks, and they’re coming for your Google Drive and Dropbox accounts.
With a man-in-the-cloud attack, someone can compromise major file sync services such as Google Drive, Dropbox, OneDrive, and Box (to name a few) without having to resort to stealing the user’s account credentials or somehow compromising the cloud provider’s servers. In this scenario, attackers just have to steal the synchronization token saved on the user’s endpoint machine.
Most of these services save a synchronization token on the endpoint device after the user successfully authenticates to the server. The token means users don’t have to enter their password every time they want to access the service. Since the same token can be used across multiple devices, all the attacker has to do is somehow intercept and copy that token and install it on his or her machine. The easiest way for the attacker to get access to the token is to social engineer the user, Imperva said. Unfortunately, just changing the account password doesn’t change the token.
Imperva illustrated the attack via a tool it developed called Switcher. Users are social-engineered into running the program, which installs a new token for the account belonging to the attacker. The user’s machine at this point will sync with the attacker’s account, thus syncing the token for the user’s actual account into the attacker’s account. This just takes seconds to complete.
What does this mean? Attackers would be able to steal files as part of an espionage campaign or harvest personally identifiable information. Attackers can embed malicious code into these files and just wait for the user to open it to have a successful infection.
Since the attacker can delete the attack token and copy the user’s token back to the user’s machine, it’s very easy to hide the breach. These attacks are undetectable by perimeter defenses and traditional endpoint security tools, Imperva said. And in the case of the above malware infection example, it would be easy for the attacker to just restore the original files, and hard to trace the source of the infection.
“Recovery of the account from this type of compromise is not always feasible,” Imperva researchers wrote in the report.
Just a note here, though. This isn’t a vulnerability with the cloud services, or an issue in how they are designed. The file sync services are designed to make it easy to push files from your computer to the cloud and to all other devices you have. The barriers are intentionally low because usability is the driving factor. But this is why users need to take protective action.
If you encrypt your files before uploading to these services, you will at least be protected from the man-in-the-cloud attacks because attackers would just see encrypted blobs. That is, assuming you don’t store the encryption keys in the cloud service as well. If the service offers two-factor authentication, by all means take advantage of it. Or enable log-in alerts to inform you if there is a log-in attempt from a new device.
Cloud-based file sync services are quite convenient and help consumers and businesses move files around. Take advantage of the available protection features so that you can do it securely as well as easily.