Numerous cloud storage service providers do not check the e-mail addresses provided during the registration process, and could potentially allow attackers to bring malware into circulation or spy out confidential data.
This fact, according to Security experts at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, in combination with functions provided by these service providers, such as file sharing or integrated notifications, result in various possibilities for attacks.
As one of the supporters of the Center for Advanced Security Research Darmstadt (CASED), the Fraunhofer SIT scrutinized various cloud storage services. The testers discovered the same weakness with the free service offerings from CloudMe, Dropbox, HiDrive, IDrive, SugarSync, Syncplicity and Wuala.
Attackers do not require any programming knowledge whatsoever to exploit these weaknesses. All they need is to create an account using a false e-mail account. The attacker can then bring malware into circulation using another person’s identity. With the services provided by Dropbox, IDrive, SugarSync, Syncplicity and Wuala, attackers can even spy on unsuspecting computer users with the help of the false e-mail address by encouraging them to upload confidential data to the cloud for joint access.
Fraunhofer SIT informed the affected service providers many months ago. And although these weaknesses can be removed with very simple and well-known methods, such as sending an e-mail with an activation link, not all of them are convinced that there is a need for action.
According to Dr. Markus Schneider, Deputy Director of Fraunhofer SIT, “Dropbox, HiDrive, SugarSync, Syncplicity and Wuala have reacted after receiving our information.” Some of these providers are now using confirmation e-mails to avoid this weakness, a method that has been in use for quite some time now.
Others have implemented other mechanisms.
“We think it is important that users are informed about the existing problems”, said Schneider. “Unfortunately, it is not possible to provide 100% protection against attacks, even if the affected services are avoided. It is therefore important that cloud storage services providers remove such weaknesses, as this helps to protect users more effectively.”
Consumers who use the affected services should be careful. Those who receive a request to download data from the cloud or upload data to it should send an e-mail to the supposed requestor to verify whether the request was really sent by them.