iDrive backup use SSL 2.0

Cryptography, Encryption, Decryption, Vulnerabilities, What have I discovered?Eitan Caspi

Recently I begun using iDrive cloud backup service, using their Windows client.

Being who I am I sniffed around and found that during the backup the Windows app is backing up files to the service server using SSL 2.0, which is considered as not secure.
See a Wireshark screenshot below.

Log of events trying to get iDrive response for this issue:

2-Dec-2019 – I sent an email to their support asking about this problem. I received immediately an auto-reply email with support case ID number

7-Dec-2019 – Since I didn’t get any human reply, I sent another email asking for reply, using the relevant case ID.

9-Dec-2019 – I got a reply that my case was filed under a case ID for all the past enhancements requests I sent before
Right after accepting this email I replied that this is not an enhancement request but a vulner to take care of and that I wish a security employee will contact me

That’s it. Nothing since then. It’s time to go public.

To their credit I must note that they claim their app encrypts the data before it is sent over the network (I didn’t check this part. Yet…).
Still, I believe every layer should be secured correctly.

iDrive backup user SSL 2.0 during backup
TCPView session showing process connections to the same IP address
TCPView process properties for the relevant process, showing it is related to iDrive
Spread the love
          

Leave a Reply

Your email address will not be published. Required fields are marked *