Friday, September 13, 2013

Three Reasons Why Dropbox Previews Are Security & Privacy Nightmares

This is a follow up from my last post Who's That Peeking in My Dropbox. I also want to say that I love the Dropbox service and use it daily. This post is from a pure security perspective.

So the short story is every time you upload Word Documents (.DOC) to Dropbox they open the files in LibreOffice. This was discovered by Daniel McCauley who used our HoneyDocs.com service and noticed the behavior. Daniel wrote a blog post that went viral.

In my blog post yesterday I was less suspicious and suspected that this may have been a security feature to scan for malicious documents. I was wrong and Dropbox's response brought up more security and privacy concerns which I address below.



1. Robo-Phishing


I'm not sure if the term Robo-phishing exists but it is the best way to describe it. Since Dropbox processes every document that is uploaded an attacker could embed LibreOffice exploits that could result in remote code execution. Since Dropbox has automated this process and attacker could use Dropbox's API to upload malicious files and compromise dozens of Dropbox's systems. Normally you would have to trick someone into opening phish documents, but it is automated at Dropbox.


2. Privacy Concerns


Most people that use Dropbox assume that keeps their documents in some sort of secure virtual drive in the cloud. This is certainly not true and the fact that they generate previews probably means that your data (most of your text) is copied and shoved into a huge database with everyone else's data.

This means that if a system which has access to that database is compromised they can potentially read everyone's data. This also means that the data is not immediately encrypted as some think because the documents must be passed around in clear text for programs such as LibreOffice to use them.

Since at least portions of your document's text are stored in a common database it means that your data is index and searchable on a massive scale. If Dropbox has that capability and intruder could also do the same if they compromise Dropbox.

3. Theoretical DDoS

 I saw in this thread https://news.ycombinator.com/item?id=6377712 at Hacker News that Dropbox's (Security Team Lead) Andrew Bortz admits the process is a theoretical DDoS vulnerability. Even better they are temporarily disabling the process.
Hi everyone, this is Andrew from Dropbox. 
We do use LibreOffice to render previews of Office documents for viewing in a browser, and have permitted external resource loading to make those previews as accurate as possible. While this could theoretically be used for DDoS, we haven’t seen any such behavior. However, just to be extra cautious we’ve temporarily disabled external resource loading while we explore alternatives.
In that same thread username 'helium' offers my sentiments exactly:
Hi Andrew, thanks for the explanation. 
Could Dropbox perhaps let me disable this feature? I almost never use the web interface so I wouldn't miss it and I prefer that my documents are not opened after being synched. 

No comments:

Post a Comment