One of the most talked about exploits in the cloud security world is the “Man in the Cloud” attack. For a hacker to perpetuate the MITC attack, a hacker doesn’t even need the username and password for your cloud syncing account.
In fact, researchers from Imperva have recently witnessed an exploit that allows a hacker to hijack services from an unsuspecting user from the following cloud storage services: Dropbox, Google Drive, Microsoft OneDrive and Box.
The exploit is called “Man in the Cloud” because once a hacker hijacks a cloud storage account, not only do they have access to all of the data stored in that account, the hacker can then remotely control a compromised computer without having to rely on a remote access trojan. In fact, the MITC attack is not currently being detected by security products such as antivirus software.
Imperva, the lab that discovered the attack, says that the hacker gains authentication to the cloud service by stealing a token that is generated the first time a cloud syncing service is used on a PC. Imperva mentions that these tokens are kept in places like your computer’s registry, the Windows Credential Manager or within a flat file.
So how do the hackers get the token? Using a program called Switcher, hackers rely on end users that have browser plugins that are susceptible to the Switcher app. Once the end user unknowingly visits an impacted site, the browsers plugin is tricked into switching the end users token with a token provided by the hacker. The switcher app then makes a copy and switches back the users authentication token. With the token on file, the hacker can remotely control any PC using that token to connect to the cloud storage service.
Is there a fix for the MITC vulnerability? Even if users change their passwords, the stolen token should still work for the hacker. Developers have come up with different methods of mitigating these attacks, however an official, deployable solution has not yet been discovered.