Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

M. Mulazzani, S. Schrittwieser, M. Huber, M. Leithner, E. Weippl:
"Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space";
Vortrag: Usenix Security Symposium, San Francisco; 08.08.2011 - 12.08.2011; in:"Proceedings of 20th USENIX Security Symposium", (2011).

[ Publication Database ]

Abstract:


During the past few years, a vast number of onlinefile storage services have been introduced. While several of these services provide basic functionality such as uploading and retrievingfiles by a specific user, more advanced services offer features such as shared folders, real-time collaboration, minimization of data transfers or unlimited storage space. Within this paper we give an overview of existingfile storage services and examine Dropbox, an advancedfile storage solution, in depth. We analyze the Dropbox client software as well as its transmission protocol, show weaknesses and outline possible attack vectors against users. Based on our results we show that Dropbox is used to store copyright-protectedfiles from a popularfilesharing network. Furthermore Dropbox can be exploited to hidefiles in the cloud with unlimited storage capacity. We define this as online slack space. We conclude by discussing security improvements for modern online storage services in general, and Dropbox in particular. To prevent our attacks cloud storage operators should employ data possession proofs on clients, a technique which has been recently discussed only in the context of assessing trust in cloud storage operators.