Applications such as Dropbox and Drive are of increasing relevance to business, and their security is of increasing importance. As the BYOD revolution gathers pace more and more employees are using such cloud storage services as a simple means of transferring data from corporate servers to personal tablets or smartphones. The process uploads the files to the cloud storage from which they can be accessed via or downloaded to the personal device. It follows that the security of files while in the cloud is out of the hands of the data owner.
But old habits die hard, announced the IBM blog last week. “Cross-Zone Scripting was once quite common in Desktop environments until it was mitigated by browser vendors. Unfortunately, this vulnerability type has been carried on to the Mobile world, where it is still a threat,” it claimed.
The problem, according to an advisory released by researcher Roi Saltzman, is that “the DropBox apps use an embedded browser window to render the locally stored HTML file.” The way this has been implemented would allow the execution of malicious Javascript code “to steal potentially valuable information from the DOM of the embedded browser, an attack dubbed Cross-Application Scripting" (XAS).” Furthermore, he adds, “this malicious JavaScript can also access the file system with the same permissions as the DropBox apps.” This means that an attacker could read and access the same files that the app can access.
The same embedded browser approach is used by both Dropbox and Drive on both iOS and Android, so all are – or at least were, vulnerable to this class of attack. The IBM blog includes proof of concept code to show how it is done by “a malicious HTML file that steals a secret file from the user's DropBox account (iOS Version),” but concludes with thanks to the “DropBox / Google security response teams for the quick fixes!”
This particular vulnerability may no longer exist – but it serves as an example of the need to be aware that old vulnerabilities may still creep into new technologies.