First of all, I love my Shadow. I have been using Shadow since 2019 and I am convinced that it is the best such product on the market. I therefore hope that my text will be understood as constructive criticism and not as an attempt to discredit Shadow. Nevertheless, what I have to report about Shadow is very worrying from a purely security point of view. And Shadow Support's handling of this problem is more than unworthy of the company's otherwise good reputation.
- - -
TLdr; (summary of the post, for those who don't want to read it in full):
- Shadow does not have 2-factor authentication (an absolute no-no for a cloud PC!).
- Shadow sessions persist even if you've changed your email address and password multiple times. Once logged in, the attacker can stay logged in no matter how many times you change your credentials.
- There is no way to log out from all devices. Even via shadow support a multi-day/multi-week(?) endeavor.
- Anyone who temporarily gains access to your email address can hijack your Shadow indefinitely without you being able to do anything about it.
- When recovering the password, there is no compulsion to change the password, someone can gain access to Shadow through your email account without you even noticing, because the old password remains.
- There are no notifications about unusual or suspicious activity in your account, probably they are not even recorded.
- Shadow support is not able to help you after a compromise, except to ban your account and forward the case internally, which means very long waits during which you will not be able to use your shadow.
- Opened tickets will still be sent to the old (in the worst case compromised) email address instead of the new one. This way, attackers can intercept your tickets and prevent you from stopping the accessing of the shadow through the Shadow support.
- Conclusion: for being an entire PC in the cloud, Shadow is worryingly unprotected.
- - -
Now the incident in detail:
About the specific case: in December, I caught a Trojan, one that hijacks sessions, steals cookies and scans the computer for credentials. In this way, both my Google account and my Yahoo account were compromised. Whether the session could be intercepted with Shadow, I can't say in hindsight, but the email address associated with Shadow definitely was. I rebooted my system and changed all my credentials. Among them, of course, Shadow's. To be on the safe side, I created a completely new email address with a provider I don't normally use and put it in my Shadow account. Except for a Google Ads account created in my name, nothing else happened, Google responded within just a few hours, canceled the Ads account and sent me a security warning that my device was most likely compromised and automatically logged me out everywhere on my device. Google deserves the highest praise at this point for such effective security measures. The complete opposite, as I unfortunately discovered, is the case with Shadow.
The attackers managed to gain access to my Shadow using my (compromised) email address. Logged in on Shadow, they then grabbed everything they could. I only lost a few semi-important gaming accounts and email addresses I no longer use, but only because I've always been careful not to store anything sensitive on Shadow out of pure paranoia and to use a separate Google account for Shadow. I don't even want to imagine what it would have been like if I had more sensitive data and more valuable gaming accounts there.
The interesting thing, though, is that this all happened _after_ I changed both the email address and password on Shadow! Initially, I assumed that my computer would still be compromised and went looking for the cause. The very first thing I wanted to do, of course, was to log off my Shadow from all devices so that the attackers would no longer have access to it. This is where the rude awakening began: Such a function simply does not exist in the customer interface! I only had the possibility to completely reset my shadow, which I did, so that the attackers would at least not have found anything that they could have stolen. Nevertheless, the Shadow was now "fair game" and could be used by the attackers at will and for all conceivable purposes. I don't even dare to ask who would be liable in the end if, for example, crimes were committed with the Shadow.
Next, I changed my email address and password again, better safe than sorry. But then I realized that my email address and password don't matter as long as I'm logged in to Shadow, which I remain until I manually log out, which used to seem like a handy feature turned out to be a security horror scenario in this case. Once logged in to Shadow, you can stay logged in for as long as you want, regardless of whether your credentials have been changed or not. In this particular case, it also meant that the attackers could stay logged in and use Shadow for any length of time. Incidentally, this would also be the case if one logged in on a public computer, at a friend's house, etc., and did not log out afterwards. There is simply no way to log out of certain or all devices after the fact, as mentioned above. However, that's not all...
While contacting support to solve the problem, I experimented a bit. So I wanted to test what happens if someone is in possession of the email address associated with Shadow and went to the website to reset my password. The website emailed me a recovery link, which I then clicked. I did not have to change my password, I was just told to please change it (when I get the chance). Which means: If someone has temporary access to my email address, they can use this function, gain access and then delete the email. I would not even notice this, because the password was not changed at all. Any warnings about suspicious activity (recovery requested, logged in from a foreign device, etc.) do not come from Shadow at all. So, unless the attacker specifically reveals that he was on Shadow, he can maintain access to Shadow for an indefinite period of time without me even noticing, even if I changed the email address and password long ago.
Now one might assume that this problem could at least be fixed by Shadow support, again this is simply not the case. I reported my case on 01/09/2023, support responded within a few hours. Before my request could be forwarded internally, I was first asked to identify myself via ID card (not that a stranger would try to log me out of all devices?). I complied with the request, of course, but found it highly absurd that anyone with access to my shadow account can completely delete my VM and all the data on it with a single click, but I have to identify myself first to log out of all devices. But well, what don't you do for security, after all, attackers still have the ability to use my Shadow. Support promptly banned my account so that no one could access the shadow anymore. Annoying, but so the danger was banished for the time being. It took about a day until I received an answer from support that everything was done now. My account was unbanned again and my email address was changed again by support. The support assured me that my account was now unregistered from all devices and that everything was fine. Unfortunately this was not the case. I opened my shadow client and found that my previous session was still active, so I was able to start and access the shadow without any problems. Although I was still logged into the client with an email address and password that I had changed 3 (!) times since then! Fortunately, I was vigilant about this and didn't trust the support, otherwise I would now be using a shadow that the attackers could still access and not suspect anything. Whether the average Shadow user would have had the same foresight at this point, I just dare to doubt, because the Shadow support clearly guaranteed here: ”You were logged out of all devices, everything is fine now.”
So I reported the case to support again and repeatedly explained the problem in as much detail as possible and pointed out the security holes. Support banned my account again (with my consent) and promised to forward the case internally. Support itself apparently doesn't have the tools or authorization to log out an account from all devices. Unfortunately, Support was not willing to explain to whom this was ultimately forwarded and why the deregistration was not done properly the first time. According to support, however, these people are probably "the developers" (so there is no technical department?).
Despite daily inquiries to support, nothing has been done about my problem until today (01/15/2023). It is day 7 of the incident and who knows how many more days will pass. Support would not give a prognosis, so it is something between 1 day and 1,000 years. Am I the first to have this happen to me or why is it not possible to give an estimate of how quickly "the developers" usually respond to such a problem. Since Shadow has been on the market, has no one felt the need to unsubscribe from all devices? After all, that would be advisable considering the fact that the session doesn't expire even if you change your credentials multiple times.
In addition, the tickets I opened after changing my email address were still sent to my old email address and have continued to be for days. If my inbox had continued to be compromised, it would have been easy for the attackers to intercept these tickets and prevent me from stopping the accessing somehow at least through support. The entry ticket in the dashboard would have done nothing, as Shadow Support insists that you first identify yourself before taking any action or forwarding the case internally.
I am disappointed, but most of all surprised, how carelessly Shadow treats the security of customer accounts and thus also the data stored on Shadow and the accounts connected there, and how poorly Shadow is able to react to security-related incidents. After all, Shadow is an entire computer in the cloud and not, say, a forum where people discuss their favorite plants. And yet, many simple forums have better security measures than Shadow, not to mention large providers.
Conclusion: Since Shadow has just this kind of security policy towards its customers, no Shadow is even remotely secure. Even losing your email address, even for a few minutes, can lead to attackers with malicious intentions infiltrating your shadow. There is not much you can do about it, except let the support ban your shadow and pray that you will be able to use it again in a few weeks. Which btw would only work if you were able to get the access to your old email address back, otherwise you won’t receive any reply from support and will not be able to take any action. For that to happen, you'd have to notice the whole thing first, otherwise you'll have a permanent "roommate" who can do whatever he wants with your shadow.
Thank you for making this post and for being a fan; we truly appreciate your support and that you care enough to share your feedback.
We are working on improving our overall login and security features. At the moment, there is no 2FA or MFA for our web login. I recommend making your password unique to lower the possibility of your account being hacked.
Our current security process requires you to authenticate a device from the code we sent to your email in order to register and use Shadow on that device. In the future, we do hope to improve our security features. There have been discussions internally about 2FA/MFA and the ability to log out of every device.
This specific post has already been shared with our Dev and Product Team back when the post was originally made. You may be assured that I will bring this up again about our current security process, this way this remains a top-of-mind topic when making improvements to Shadow.
Once again, as Shadow and the space of cloud gaming is currently improving and advancing, we greatly appreciate your patience and feedback.
We truly believe by listening to our Users, we will know what we’re doing right and—most importantly—what we should continue to improve upon.