File sharing providers such as Dropbox Inc. and Box Inc. have managed to maintain an impressive security record in spite of safeguarding vast amounts of corporate data that represents a massive target for hackers. But while their backend infrastructure may be protected, the local clients through which users synchronize their data to that backend are an entirely different story.

That’s the revelation from a keynote held at the annual Black Hat security conference this week by researchers with threat intelligence outfit Imperva Inc., who revealed to have developed a tool that exploits that sharing mechanism to provide unhindered access to documents stored in file lockers. The vulnerability lies in the way that the services verify changes to data.

Dropbox, Box and most of the other major providers assign a cryptographic token to the device from which a user accesses their account that serves as a placeholder for their login credentials to guard against interception. Whenever new files or updates are synchronized to the backend, the key is rechecked to confirm the source of the changes.

That provides a much more practical alternative to having workers re-enter their usernames and passwords every time the client on their local machine connects to their cloud-based folder. The problem is that top providers allow tokens to be shared among devices in order to accommodate the new platforms on which users spend more and more of their time, which means that all a hacker has to do is get their hands on on a copy.

And as Imperva has discovered, that can be accomplished with a only few temporary changes to the configuration of the targeted machine that are minor enough to escape detection by common virus scanners. The main trick is convincing the user to let the changes be executed, which its researchers achieved through old-fashioned social engineering in the form of a deceptive browser plugin.

Once the attacker has their hands on the token, the synchronization mechanism can be diverted to replicate files to a folder under their control or inject malicious code into documents to infect the user’s device. That’s an especially worrying prospect since the malware can simply be deleted after a successful installation, which makes it much harder to identify the source of the breach.

But the worst part is that the token is not refreshed with password changes, which means that the exploit sidesteps one of the main defense mechanisms with which large organizations protect their users from attack. That leaves organizations to discover breaches that after the fact, something that CIOs simply can’t afford.

As a result, users of Box, Dropbox, Microsoft Corp.’s OneDrive and Google Drive can expect major security updates to their clients in the coming weeks and months. Until then, however, hackers will no doubt do their best to seize this newly found opportunity to try and compromise the world’s many cloud-driven organizations.

Photo via pixelcreatures