Update (Sep. 28, 2017) – Today a new version of SpiderOak ONE and SpiderOak Groups was released that resolves a bug identified by the researchers involving Share Rooms. With this release, we have resolved all of the security issues reported by our friends at Aarhus University.
Our team recently investigated and resolved three bugs reported by security researchers at Aarhus University (Denmark) in April 2017. The bugs were found in SpiderOak Groups and SpiderOak ONE (version 6.1.5).
Note: Because we don’t provide automatic updates at this time, please ensure you are running the latest version of SpiderOak ONE and SpiderOak Groups (6.4.0 or higher), which can be found here: https://spideroak.com/opendownload.
We greatly appreciate researchers like these, their work, and that they gave us the opportunity to fix these bugs. We wanted to share with you more details about what was found, what it means for our customers, and how we addressed them.
First, none of these bugs found could’ve just “happened” to you as a user, nor could they have been exploited by random actors. Second, the bugs did not make customers vulnerable to an external threat or network attack. The assumption with each of the bugs is that they made users more vulnerable to SpiderOak itself, who would have to be acting maliciously to compromise a user. This was not the threat model SpiderOak was built upon, but we agree wholehearted it should be addressed. We talked about how to build for new threat models like this in a recent blog post.
The following attacks were executed by the Aarhus security researchers on a Debian GNU/Linux virtual machine and conducted as a Man-in-the-Middle attack by manually disabling cert validation for the TLS connection to our servers.
- Active Attacks: To exploit the following issues, an attacker would have needed to tamper with the connection between the SpiderOak client and the server, or the server would have to behave maliciously. All of these were done by disabling SpiderOak’s Man-in-the-Middle protection.
- bcrypt login scheme memory leak – This leak happened only at setup and was a bug in the third-party library SpiderOak uses; this bug leaked memory to the server. We didn’t validate the parameters set by the server, which allowed the SpiderOak server to weaken the strength of the password hashing. We patched the third-party library and validated the parameters to address this issue.
- escrow/challenge – This bug only applied to end-users of the SpiderOak Groups product. It was discovered that an end-user could be unintentionally tricked by the client into revealing their password to the server. The design could also result in the client transmitting the user’s password unencrypted. A lot of the problem here was confusion caused by poor wording on SpiderOak’s end around Fingerprints, which could have caused a user to unintentionally reveal their password to SpiderOak. To address this bug, we now validate the keys and updated the confusing text in the application.
- Remote Procedure Call (RPC) – The client exposed two unsafe RPC methods, which could’ve been used to extract a user’s password. The client had an option to enable remote diagnostics through which an additional unsafe remote procedure could have been exposed. This is a feature that was never implemented on SpiderOak’s server so we’ve removed the offending code from the client.
- Passive Attacks: If a malicious server recorded a previous interaction, particularly a previously transmitted key; then SpiderOak ONE was patched to dump all SSL connection keys it used.
- Shared directories: When a directory was shared in SpiderOak ONE, and the users chose to make the files public, the associated key was revealed forever. The assumption here was that the SpiderOak server was malicious and would keep the associated key forever. We have addressed this by implementing key rotation to protect all future files shared.
While these were all real bugs, they were unintended behavior that we are happy to report as resolved. Please let us know if you have any questions, and be sure to update to the latest patched version, version 6.4.0 or higher, of Groups and ONE: https://spideroak.com/opendownload.
Related post: Learn more about how SpiderOak is preparing for new threat models.