Cracks emerge in the cloud

Jun 20, 2014

A systematic analysis reveals that cloud storage services have security weaknesses that can inadvertently leak users' data.

As individual computer users increasingly access the Internet from different smartphones, tablets and laptops, many are choosing to use online cloud services to store and synchronize their digital content. Cloud storage allows consumers to retrieve their data from any location using any device and can provide critical backups in the case of hard disk failure. But while people are usually vigilant about enacting security measures on personal computers, they often neglect to consider how safe their files are in the cloud.

Now, findings from a team led by Jianying Zhou of the A*STAR Institute for Infocomm Research in Singapore promise to improve the security of popular online services and better protect users by revealing hidden flaws associated with an important feature—the ability to share files with friends, co-workers or the public.

Sharing content is an attractive way to let far-flung colleagues view and collaborate on projects without using email attachments, which often have strict file size limitations. Data sharing can be: public, with no access controls; private, in which the cloud service provider authenticates sharing through login controls; or 'secret' uniform resource locator (URL) sharing where people without an account on the cloud service can access data by following a specific web link.

The A*STAR-led researchers analyzed the security of three well-known providers—Dropbox, Google Drive and Microsoft SkyDrive—and found that all three had vulnerabilities many users might encounter. They uncovered several risks related to the sharing of secret URLs. Because URLs are saved in various network-based servers, browser histories and Internet bookmarks, frequent opportunities exist for third parties to access private data. Furthermore, the URL recipient may send the link to others without the data owner's consent.

Another danger lies in the practice of URL shortening—reducing long web addresses to brief alphanumeric sequences for easier sharing on mobile devices. Although the original URL may point to a privately shared file, shortening changes this address into plain text unprotected by encryption. Zhou also notes that because short URLs have very limited lengths, they are susceptible to brute-force attacks that can dig out supposedly secret files.

Zhou explains that the root cause of cloud security problems lies in the need to balance usability with privacy protection. "Users should be careful when they share files in the cloud because no system is perfectly secure. The cloud industry, meanwhile, needs to constantly raise the bar against new attacks while keeping the service as functional as possible."

Explore further: Trouble in the cloud leaves businesses tied to their servers

More information: Chu, C.-K., Zhu, W.-T., Han, J., Liu, J. K., Xu, J. & Zhou, J. "Security concerns in popular cloud storage services." IEEE Pervasive Computing 12, 50–57 (2013). DOI: 10.1109/MPRV.2013.72

add to favorites email to friend print save as pdf

Related Stories

Google might launch Drive for cloud storage soon

Feb 12, 2012

( -- Google's next big move, according to the Wall Street Journal, is a cloud storage service called Drive. Hardly first to the plate, Google is simply catching up to introducing its cloud reposi ...

Recommended for you

Computerised vehicles are vulnerable to hacking and theft

5 hours ago

Theft of vehicles is about as old as the notion of transport – from horse thieves to carjackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology, ...

How we can each fight cybercrime with smarter habits

Jan 26, 2015

Hackers gain access to computers and networks by exploiting the weaknesses in our cyber behaviors. Many attacks use simple phishing schemes – the hacker sends an email that appears to come from a trusted ...

Davos elites warned about catastrophic cyberattacks

Jan 24, 2015

Attacks on power plants, telecommunications and financial systems, even turning all of Los Angeles' traffic lights green: Davos elites were warned Saturday of the terrifying possibilities of modern cyber ...

Email scam nets $214 mn in 14 months: FBI

Jan 22, 2015

An email scam which targets businesses with bogus invoices has netted more than $214 million from victims in 45 countries in just over one year, an FBI task force said Thursday.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jun 21, 2014
these do not seem to be cracks in the system, but just an intrinsically insecure way to share that many users find very useful.
the answer here, If you're cloud has 'secret' data on it, Don't use the URL feature.
The question seems to be whether or not you can turn this feature off or whether you have to sign up for it to begin with. The earlier being an obvious flaw.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.