Amazon Drive bans rclone storage client
Presence of encrypted keys in source code runs afoul of rules
Last week, Amazon Web Services banned rclone, an open source cloud storage client application, from accessing Amazon Drive, inconveniencing hundreds or possibly thousands of people using the software.
The reason turns out to be that the software fails to treat its secrets with suitable discretion.
"Rclone has been banned for having the encrypted secrets in the source code," explained Nick Craig-Wood, primary author of the rclone software, in a post on Saturday.
The application's OAuth2 API key, in encrypted form, is included in the rclone source code.
It's common for developers inadvertently to include secrets such as API keys and login credentials, unencrypted, in code posted to public repositories. But this isn't quite the same thing.
Craig-Wood, in a phone interview with The Register, explained that when you make an application that works with Amazon Drive, AWS makes you go through a process of verifying the app and then provide a key that identifies the app.
This key is distinct from credentials used to identify individual AWS accounts that get billed for Drive usage.
The way AWS deals with third-party Drive apps differs from the way Google does it, Craig-Wood explained. "I think Google has a better approach in that Google lets anyone make their own apps keys and if they ban someone, they ban the user rather than the app."
Previously, anyone could take the rclone software, call it something else and submit the renamed application to AWS for a different OAuth2 key, but that's no longer possible because AWS has stopped granting developers access to the Drive API.
The software's non-compliance with AWS rules came up in an Amazon Developer Forums thread dating back to October, 2015.
"If the client secret goes to open source code that means it becomes public and theoretically anyone can use the same client ID/secret to impersonate this client," an Amazon moderator identified as Ross said in January, 2016. "This is completely in violation to the consent provided by the customer that their information can only be accessed by a particular third party."
Craig-Wood, who was aware of Amazon's concerns at the time, said it was unclear why Amazon had decided to ban rclone now, but acknowledged that Amazon may be concerned about the potential for other apps to represent themselves as rclone using rclone's key.
He speculated that Amazon may have started paying more attention to client software after there were security issues with an authentication server for acd_cli, another Amazon Cloud Drive client app that has also been banned.
Craig-Wood said hundreds or possibly thousands of people who use rclone have been affected. Because the software is open source, there's no record of the number of users. But he said the more than 6,000 stars on the software's GitHub repository offers some indication of its popularity.
Presently, he is waiting to hear from Amazon about getting new credentials so he can build an authentication server that keeps the app's OAuth2 key secret. He had hoped to avoid maintaining such a server because he will have to secure it to safeguard all the individual credentials that pass through the server.
There's speculation that Amazon may be having second thoughts about promising unlimited storage for $5 per month. Where Amazon Drive's web interface might place practical limits on high-volume usage, programmatic access to the service makes it cheaper than S3, Amazon's professional storage service, albeit without any service level or availability guarantees.
Various discussions of the rclone ban on Reddit and Hacker News suggest some of those using rclone were uploading vast amounts of data to take advantage of Amazon's absurd commitment to infinite data warehousing.
And it's possible some of that material may include unlawfully copied or illegal content. An advisory against building Amazon Drive apps that perform client-side encryption can be read as Amazon's attempt to avoid dealing with the headache of law enforcement demands to unlock data without the necessary keys.
Amazon did not respond to a request for comment. ®
Sponsored: Becoming a Pragmatic Security Leader