Security experts at the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, have discovered that numerous cloud storage service providers do not check the e-mail addresses provided during the registration process. This fact in combination with functions provided by these service providers, such as file sharing or integrated notifications, result in various possibilities for attacks.
For example, attackers can bring malware into circulation or spy out confidential data, said the experts. As one of the supporters of the Center for Advanced Security Research Darmstadt, the Fraunhofer Institute scrutinized various cloud storage services. The testers discovered the same weakness with the free service offerings from CloudMe, Dropbox, HiDrive, IDrive, SugarSync, Syncplicity and Wuala. Scientists from Fraunhofer presented their findings on the possible forms of attacks last month at the 11th International Conference on Trust, Security and Privacy in Computing and Communications in Liverpool,England.
Attackers do not require any programming knowledge whatsoever to exploit these weaknesses, the report said. All they need is to create an account using a false e-mail account. The attacker can then bring malware into circulation using another person’s identity, the report said. With the services provided by Dropbox, IDrive, SugarSync, Syncplicity and Wuala, attackers can even spy on unsuspecting computer users with the help of the false e-mail address by encouraging them to upload confidential data to the cloud for joint access.
Fraunhofer informed the affected service providers many months ago. And although these weaknesses can be removed with very simple and well-known methods, such as sending an e-mail with an activation link, not all of them are convinced that there is a need for action. Markus Schneider, deputy director of Fraunhofer, said “Dropbox, HiDrive, SugarSync, Syncplicity and Wuala have reacted after receiving our information.”
Some of these providers are now using confirmation e-mails to avoid this weakness, a method that has been in use for quite some time now. Others have implemented other mechanisms. “We think it is important that users are informed about the existing problems,” said Schneider. “Unfortunately, it is not possible to provide 100 precent protection against attacks, even if the affected services are avoided. It is therefore important that cloud storage services providers remove such weaknesses, as this helps to protect users more effectively.”
Consumers who use the affected services should be careful, said the institute. Those who receive a request to download data from the cloud or upload data to it should send an e-mail to the supposed requester to verify whether the request was really sent by them, it added.