Two weeks ago Rapid7 published research showing that Amazon S3 shared storage can be shared more widely than their owners might have realized. This followed on original research from independent pen-tester Robin Wood. Wood told Infosecurity at the time, “I found the same thing on the Apple MobileMe system and on another similar one that I've not released yet.”
He has now published that data, and the ‘similar one’ turns out to be SpiderOak. His research is not new, going back to early 2012 – but he admits to having simply forgotten about it. “At the start of 2012 I started using SpiderOak which also offers a way to share data with other people so decided to have a look at how that worked to see if it could also be enumerated.” He found it could. In March he informed SpiderOak since he wanted to give a presentation at BSides, London in April.
SpiderOak told him that a fix would be ready in time for his talk, but he changed to a presentation on ‘Breaking into Security’; and forgot about it. The Rapid7 publication on S3 buckets reminded him, so “I thought I'd dig out the SpiderOak work and see if it still worked, it does...”
This begs the question on why SpiderOak has not fixed a problem that they promised to fix a year earlier – but it is worth stating that Wood still has faith in the service, and still uses SpiderOak.
“The way the enumeration works,” explains Wood, “is by checking HTTP return values to identify valid accounts then looking for RSS feeds to find valid shares.” Just as with the S3 problem, you need to guess potential URLs. The problem comes from the different responses returned by SpiderOak for valid and invalid shares. “So you can now run through a list of user names and score a hit for any 200's you get back.”
The next step is to look for an RSS link in the returned header. “All shares, whether they exist or not, have an RSS link in the header but if you then check the RSS link you get a 200 for valid shares but 404 for shares which don't exist.” Bingo. You can find valid shares; and “if you look at the RSS feed that you get from a valid share it contains a list of all the files in the share.”
Until SpiderOak fixes the problem (and frankly, this is now more likely with Wood’s publication), he offers the following advice: “If you have to share something, think of the share name as a password and chose appropriately. Once you no longer need to share the data, remove the share and take the data down.” But he doesn’t think the problem is limited to Amazon and Apple and SpiderOak. “When using any kind of online system for sharing your files,” he told Infosecurity, “you have to consider the sensitivity of those files. Putting up a couple of photos of you on holiday is different to using it to store your complete financial records. Research the security of the system you chose and if you are not sure then don't use it or add your own security by encrypting the data before uploading.