Leading cloud storage provider Dropbox is arguably having its worst month since launching back in 2007—but with over half a billion users, it's somewhat surprising that serious issues have only begun to surface between the ubiquitous service and the people trusting it with their files. First, in a recent announcement reminiscent of LinkedIn's latest data breach fiasco, Dropbox announced several weeks ago that over 68 million emails and passwords were compromised in a previously disclosed 2012 data breach. And now, security experts are criticizing the company for misleading OS X users into granting admin password access and root privileges to their systems. What recourse do consumers have when cloud services providers "drop the box" on security, or even worse—when their actions directly jeopardize the users they're supposed to protect?
Dropbox announced back in 2012 that a data breach involving the theft of user data was only limited to email addresses. However, recent revelations have prompted the company to disclose that over 68 million hashed and salted passwords—along with emails—were compromised.
Similar to the LinkedIn data breach, critics are blasting Dropbox for its late disclosure of the breach's extremity. But it seems the cloud storage provider has yet another fiasco on its hands—this time, regarding trust violations committed actively by the firm against its own users. On September 9th, sources from Hacker News and Twitter revealed that the Dropbox Mac desktop client is able to gain root system access via the Mac’s Accessibility permissions list—without first requesting permission from users.
These recent developments certainly raise questions about the security mechanisms instituted by cloud storage providers, as well as the degree of trust placed in the hands of cloud vendors. Do UpGuard security ratings offer clues regarding cloud storage providers' security fitness, trustworthiness, and enterprise resilience? Let's see how each respective vendors' website perimeter security mechanisms stack up.
Cloud Storage Provider Roundup
We start the comparison with the two largest competing cloud storage providers by market share, Dropbox and Box, followed by other leading offerings in the category—several of which are marketed as "secure" cloud storage providers, touting strong security/privacy as their primary differentiator.
1. Box - 912 out of 950
Box is based in Redwood City, California, and is a cloud content management and file sharing service for businesses. Official clients and apps are available for Windows, macOS, and several mobile platforms. Box was founded in 2005.
As of June 4, 2020, Box has the following security issues:
- HSTS header does not contain includeSubDomains: The inclduSubDomains directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
- Domain was not found on the HSTS preload list: Users who visit the website for the first time will be vulnerable to MITM attacks. The requirements for inclusion on the preload list are specified by hstspreload.org.
- DNSSEC not enabled: DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.
View Box’s complete security profile here.
2. Tresorit - 903 out of 950
Tresorit is an online cloud storage service based in Switzerland and Hungary that emphasizes enhanced security and data encryption for Businesses and individuals/freelancers.
As of June 4, 2020, Tresorit has the following security issues:
- Secure cookies not used: When secure cookies are not used, there is an increased risk of third parties intercepting information contained in these cookies. The website configuration should be changed so that all 'Set-Cookie' headers include 'secure'.
A representative from Tresorit raised that as Tresorit uses preloaded HSTS which means "cookies are never transmitted via HTTP, only via HTTPS, so there is no increased risk in not using Secure cookies. HSTS preload supported by all major browsers, as shown on https://hstspreload.org/ and https://caniuse.com/#feat=stricttransportsecurity, meaning all major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) shipped to end-users automatically communicates with tresorit.com via HTTPS."
See Tresorit’s complete security profile here.
3. Dropbox - 846 out of 950
Dropbox is a file hosting service operated by American company Dropbox, Inc., headquartered in San Francisco, California, that offers cloud storage, file synchronization, personal cloud, and client software. Dropbox was founded in 2007 by MIT students Drew Houston and Arash Ferdowsi as a startup company, with initial funding from seed accelerator Y Combinator.
As of June 4, 2020, Dropbox has the following security issues:
- Insecure SSL/TLS versions available: Any version of the SSL protocol, and TLS prior to version 1.2, are now considered insecure. The server should disable support for these old protocols.
- HttpOnly cookies not used: When HttpOnly cookies are not used, the cookies can be accessed on the client, which enables certain types of client-side attacks. The website configuration should be changed to enforce HttpOnly cookies.
See Dropbox’s complete security profile here.
4. Carbonite - 846/950
Carbonite, an OpenText company, offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures, and natural disasters. From automated computer backup to comprehensive protection for physical and virtual server environments, Carbonite ensures the accessibility and resiliency of data for any system.
As of June 4, 2020, Carbonite has the following security issues:
- HttpOnly cookies not used: When HttpOnly cookies are not used, the cookies can be accessed on the client, which enables certain types of client-side attacks. The website configuration should be changed to enforce HttpOnly cookies.
- HSTS header does not contain includeSubDomains: The inclduSubDomains directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
- Domain was not found on the HSTS preload list: The domain was not found on the HSTS preload list. Users who visit the website for the first time will be vulnerable to MITM attacks. The requirements for inclusion on the preload list are specified by hstspreload.org.
See Carbonite’s complete security profile here.
5. Backblaze - 827 out of 950
Backblaze is a data storage provider. It offers two products: B2 Cloud Storage - An object storage service similar to Amazon's S3. Computer Backup - An online backup tool that allows Windows and macOS users to back up their data to offsite data centers.
As of June 4, 2020, Backblaze has the following security issues:
- HSTS header does not contain includeSubDomains: The inclduSubDomains directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
- Domain was not found on the HSTS preload list: The domain was not found on the HSTS preload list. Users who visit the website for the first time will be vulnerable to MITM attacks. The requirements for inclusion on the preload list are specified by hstspreload.org.
- DMARC policy is p=none: DMARC policy is p=none. This provides no protection against fraudulent emails. The DMARC policy should be migrated to p=quarantine, and eventually p=reject.
- SPF policy uses ~all: Sender Policy Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should preferably not use the ~all mechanism, as this does not instruct the mail receiver to reject messages from unauthorized sources. When DMARC is not being enforced, -all should be used on the SPF record.
- DNSSEC not enabled: DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.
- Domain registrar deletion protection not enabled: Domain is not protected from unsolicited deletion requests with the registrar. The domain should have clientDeleteProhibited set.
- Domain registrar update protection not enabled: Domain is not protected from unsolicited update requests with the registrar. The domain should have clientUpdateProhibited set.
See Backblaze’s complete security profile here.
6. SugarSync - 827 out of 950
SugarSync is a cloud service that enables active synchronization of files across computers and other devices for file backup, access, syncing, and sharing from a variety of operating systems, such as Android, iOS, Mac OS X, and Windows devices. For Linux, only a discontinued unofficial third-party client is available.
As of June 4, 2020, SugarSync has the following security issues:
- Insecure SSL/TLS versions available: Any version of the SSL protocol, and TLS prior to version 1.2, are now considered insecure. The server should disable support for these old protocols.
- HTTP Strict Transport Security (HSTS) not enforced: Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks. The server should be configured to support HSTS.
See SugarSync’s complete security profile here.
7. IDrive - 798 out of 950
IDrive Inc. is a technology company that specializes in data backup applications. Its flagship product is IDrive, an online backup service available to Windows, Mac, Linux, iOS and Android users.
As of June 4, 2020, IDrive has the following security issues:
- HSTS header does not contain includeSubDomains: The inclduSubDomains directive instructs the browser to also enforce the HSTS policy over subdomains of this domain.
- Domain was not found on the HSTS preload list: The domain was not found on the HSTS preload list. Users who visit the website for the first time will be vulnerable to MITM attacks. The requirements for inclusion on the preload list are specified by hstspreload.org.
- DMARC policy is p=none: DMARC policy is p=none. This provides no protection against fraudulent emails. The DMARC policy should be migrated to p=quarantine, and eventually p=reject.
- SPF policy uses ~all: Sender Policy Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should preferably not use the ~all mechanism, as this does not instruct the mail receiver to reject messages from unauthorized sources. When DMARC is not being enforced, -all should be used on the SPF record.
- Domain registrar deletion protection not enabled: Domain is not protected from unsolicited deletion requests with the registrar. The domain should have clientDeleteProhibited set.
- Domain registrar update protection not enabled: Domain is not protected from unsolicited update requests with the registrar. The domain should have clientUpdateProhibited set.
See IDrive’s complete security profile here.
8. SpiderOak - 760 out of 950
SpiderOak is a US-based collaboration tool, online backup, and file hosting service that allows users to access, synchronize, and share data using a cloud-based server, offered by a company of the same name. Its first offering, its online backup service later branded "SpiderOak ONE", launched in December 2007.
As of June 4, 2020, SpiderOak has the following security issues:
- Insecure SSL/TLS versions available: Any version of the SSL protocol, and TLS prior to version 1.2, are now considered insecure. The server should disable support for these old protocols.
- X-Powered-By header exposed: The X-Powered-By header reveals information about specific technology used on the server. This information can be used to exploit vulnerabilities. The server configuration should be changed to remove this header.
- HttpOnly cookies not used: When HttpOnly cookies are not used, the cookies can be accessed on the client, which enables certain type of client-side attacks. The website configuration should be changed to enforce HttpOnly cookies.
- Secure cookies not used: When secure cookies are not used, there is an increased risk of third parties intercepting information contained in these cookies. The website configuration should be changed so that all 'Set-Cookie' headers include 'secure'.
- DNSSEC not enabled: DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.
See SpiderOak’s complete security profile here.
Conclusion
In short, cloud storage providers seem to be generally competent when it comes to cyber resilience, as measured by website perimeter security and other external factors. Solid CSTAR ratings across the board for these leading cloud storage providers are certainly reassuring, but recent incidents such as Dropbox's latest trust issues underscore the difference between security and trustworthiness: while its security may be solid, various other less-than-scrupulous actions may nonetheless put users at risk. Security and trust—though correlated, are two different matters. Clearly, Dropbox's security failures and violations of user trust are both equally brand damaging, but the latter may prove to be more devastating if specialized malware taking advantage of the extended privileges is discovered later on.
At the end of the day, an organization's cyber risk posture is only as strong as its weakest IT assets—whether they be desktop clients, web servers, even IT security solutions. UpGuard's digital resilience platform ensures that privilege escalations and faulty configurations—planned or unplanned—never go unchecked.
