Vulnerabilities in third-party components: The widespread use of third-party and open source components in enterprise cloud apps can attract attackers and lead to data exposure. Recent examples include Heartbleed and OpenSSL CCS Injection. Attackers can take advantage this technology to steal enterprise data and read encrypted traffic.
Vulnerabilities that enable attackers to inject SQL code into an app: Some apps contain vulnerabilities that let attackers inject malicious SQL statements into one of the app’s fields. A successful exploit can have a wide-ranging impact, from attackers being able to escalate privileges in the app to making the app host malware. A recent example of this was in AdRotate, a plugin to popular SaaS app, WordPress.
Vulnerabilities that enable attackers to inject other database code into an app: Even apps that don’t use SQL can suffer from injection attacks. An example of this is the MongoDB Hash Injection, in which the use of Web application framework Ruby on Rails in conjunction with MongoDB can lead to attackers bypassing authentication, exfiltrating data and even launch denial-of-service attacks.
Client-Side Script Injections
Vulnerabilities that enable attackers to inject client-side scripts into the app: Another class of vulnerabilities enables attackers to inject code that is used to lure users to malicious sites or distribute malware to user devices. Common exploits are cross-site scripting (XSS) and iFrame injection. An example of this is the recent XSS vulnerability discovered in Offiria, an open source enterprise social network, which let remote attackers place malicious links in the app.
Vulnerabilities that lead to URL redirection: Some apps are designed in a way that enables an attacker to get in the middle of the URL path and redirect a user to a different URL. One example is the covert redirect vulnerability in OAuth 2.0 and OpenID, in which an attacker can use the authentication process to redirect users to malicious sites or steal their information.
Disclosure of shared documents
Vulnerabilities that lead to the disclosure of shared documents to unintended recipients: A well-publicized vulnerability involves the “share” function in some cloud storage apps. In it, a user can inadvertently disclose a document to unintended recipients. Major vendors like Dropbox have patched this vulnerability, but others remain unremediated. Given that other app categories like business intelligence, customer relationship management, and software development also enable sharing, this design vulnerability could impact more than just cloud storage apps.
Encrypted and Unencrypted Channels
Vulnerabilities involving the use of both encrypted and unencrypted channels for file movement: Some apps have made a design decision to use an encrypted channel to upload and an unencrypted channel to download files, which can lead to data leakage. An example is the cloud storage app JustCloud, which calls this design out in their terms and conditions. Another example is the use of unencrypted channels by native cloud storage applications in mobile devices such as iPhones and Android devices.
Misconfigured IaaS Access Settings
Vulnerabilities associated with the misconfiguration of infrastructure-as-a-service access settings:Misconfiguring infrastructure as a service can lead to data exposure. An example of this is the misconfiguration of Amazon S3 buckets. A user can easily overlook a key setting, the configuration of the bucket as “public,” which can lead to the public exposure of the contents in the logical container. Since the access configuration applies to the bucket and all of its contents, that exposure can lead to significant data leakage.
IaaS and PaaS Authentication
Vulnerabilities resulting from under-configuring infrastructure- and platform-as-a-service authentication: Organizations that do not take advantage of multi-factor authentication in their infrastructure as a service (IaaS) and platform as a service (Paas) can expose their administration console. An attacker can hijack credentials, which happened to source code hosting provider Code Spaces, ultimately putting the company out of business.
Vulnerabilities resulting from the use of weak cryptography: Most cloud apps use the secure socket layer (SSL) protocol to encrypt communication between user devices and servers. Servers configured with weak encryption can leave apps vulnerable to brute force decryption attacks and data leakage. An example of this is the stream cipher RC4, which can make SSL vulnerable to stream cipher or bit-flipping attacks.
On August 6, Russian hackers announced they had stolen more than one billion usernames and password combinations, along with accompanying email addresses — a big grab, considering that there are nearly three billion Internet users. By that estimation, up to one-third of Internet users may be vulnerable to data loss. The breach is a poignant reminder for individual users and enterprises alike to take a look at how they’re protecting their personally identifiable information (more commonly referred to as PII).
Cisco recently predicted that there will be 21 billion Internet devices in use by 2018, and a recent survey from Netskope shows that most enterprises use an average of 508 cloud apps across an average of three devices per user. Both of these statistics underscore the dizzying number of usernames, passwords, and email addresses that are used across a myriad of devices and apps, a trend that only looks to continue for the foreseeable future. Organizations today are already relying heavily on cloud apps to help improve productivity and reduce operating costs, and as security standards continue to improve, businesses are becoming increasingly comfortable storing business-critical data in the cloud.
However, with increased popularity comes more attention from malicious hackers trying to access PII and other sensitive data. It’s more critical than ever before to understand how — and where — you’re storing your data, and the variety of vulnerabilities that can exist in the apps in your network.
There are four broad categories of vulnerabilities in cloud apps: components, code, design, and configuration. This slideshow features 10 types of vulnerabilities, identified by Ravi Balupari, senior manager, Cloud Security Research and Content Development at Netskope, that fall into these respective categories, and a brief overview of how they impact enterprise cloud apps.