Cloud storage services become increasingly interesting for users to easily backup or synchronize their data. On top of this basic functionality, these services offer functions for collaboration that allow users to share their files with selected other persons in a user-friendly way. We have identified that several cloud storage services do not verify whether the registrating customer is the real owner of the email address entered during the registration. Cloud providers omit the verification for reasons of usability. Here, user-friendliness goes too far at the cost of security. This vulnerability combined with collaboration functions allows attacks on cloud customers. In this paper, we explain which attacks are possible. Missing email verification and collaboration functions allow espionage and malware distribution attacks. Execution is very easy, i.e., they can be done without coding expertise or special tools.
[1]
C. Cachin,et al.
A cloud you can trust
,
2011,
IEEE Spectrum.
[2]
Ganesh Vaidyanathan,et al.
Security in dynamic web content management systems applications
,
2009,
Commun. ACM.
[3]
Jörg Schwenk,et al.
All your clouds are belong to us: security analysis of cloud management interfaces
,
2011,
CCSW '11.
[4]
Leyla Bilge,et al.
All your contacts are belong to us: automated identity theft attacks on social networks
,
2009,
WWW '09.
[5]
Edgar R. Weippl,et al.
Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space
,
2011,
USENIX Security Symposium.
[6]
Ahmad-Reza Sadeghi,et al.
AmazonIA: when elasticity snaps back
,
2011,
CCS '11.