Introduction
Cybersecurity researchers from ETH Zurich have uncovered significant cryptographic vulnerabilities in several popular end-to-end encrypted (E2EE) cloud storage platforms [8] [10]. These vulnerabilities, found in services such as Sync, pCloud [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Icedrive [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Seafile [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and Tresorit [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], pose serious security risks to over 22 million users by potentially allowing attackers to manipulate and access sensitive data.
Description
Cybersecurity researchers from ETH Zurich [1] [5] [9] [10], including Jonas Hofmann and Kien Tuong Turong [4], have identified critical cryptographic vulnerabilities in several widely-used end-to-end encrypted (E2EE) cloud storage platforms [2] [8] [10], including Sync [2] [3] [4] [7] [9] [10], pCloud [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Icedrive [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Seafile [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and Tresorit [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], which collectively serve over 22 million users [9] [10]. The vulnerabilities were assessed under a threat model where attackers control malicious servers capable of reading [9], modifying [3] [4] [9], and injecting data [4] [9], a scenario plausible for nation-state actors and advanced hackers [4] [9]. These vulnerabilities could enable malicious servers to tamper with files [2] [10], inject rogue data [2], and access plaintext content [2] [5] [10], undermining the platforms’ security claims and providing customers with a false sense of security [10]. The researchers categorized ten classes of attacks into four areas: confidentiality [10], target file data [10], metadata [1] [2] [3] [5] [7] [8] [10], and arbitrary file injection [10].
Specific vulnerabilities include the lack of authenticated key material in Sync and pCloud, allowing attackers to insert their own encryption keys and compromise file confidentiality. In Seafile [5] [10], an encryption protocol downgrade increases the speed of brute-force password attacks and allows for potential file tampering. Link-sharing pitfalls in Sync encode decryption passwords [10], further compromising security. Icedrive and Seafile utilize unauthenticated encryption modes (CBC), which facilitate content tampering, while both Seafile and pCloud exhibit unauthenticated chunking of files, enabling adversaries to manipulate file segments [10]. Additionally, Sync [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], pCloud [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Seafile [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and Icedrive are vulnerable to tampering with file names and locations, while all five providers face risks related to metadata tampering, allowing attackers to alter file creation details and inject rogue files into user storage. Sync is particularly susceptible to folder injection, and pCloud is vulnerable to the injection of rogue file keys and content.
The analysis revealed serious security flaws across all five platforms [9], emphasizing that many of these attacks are practical and do not require advanced cryptographic skills [10], often arising from basic design flaws such as unauthenticated keys [7], weak encryption protocols [7] [8] [10], and improper metadata handling [7]. While some vulnerabilities are not new [8], they highlight fundamental failures in the practical implementation of E2EE cloud storage [8].
Icedrive has acknowledged the report but has not committed to fixes, while Sync [7] [8], Seafile [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and Tresorit are taking steps to resolve the vulnerabilities [8], with Tresorit engaging in discussions regarding cryptographic design and planning improvements. The findings underscore the urgent need for robust security measures against compromised server threats [8], particularly as E2EE cloud storage providers become attractive targets for threat actors. The researchers communicated their findings to Sync [9], pCloud [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], Seafile [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and Icedrive on April 23, 2024 [9], and reached out to Tresorit on September 27, 2024 [9], to discuss potential enhancements to their cryptographic designs [9].
Conclusion
The discovery of these vulnerabilities highlights the critical need for improved security measures in E2EE cloud storage platforms. Providers must address these issues promptly to protect users from potential data breaches and unauthorized access. As these platforms continue to be attractive targets for sophisticated threat actors, ongoing vigilance and enhancements in cryptographic design are essential to ensure user data remains secure. The proactive steps taken by some providers to address these vulnerabilities are commendable, but a comprehensive approach to security is necessary to mitigate future risks effectively.
References
[1] https://www.techradar.com/pro/security/several-top-e2ee-cloud-storage-providers-have-serious-security-flaws
[2] https://www.vpnranks.com/news/severe-security-flaws-uncovered-in-encrypted-cloud-storage-platforms/
[3] https://techmonitor.ai/hardware/cloud/millions-of-users-at-risk-due-to-vulnerabilities-in-e2ee-cloud-storage
[4] https://aboutdfir.com/infosec-news-nuggets-10-21-2024/
[5] https://www.techtarget.com/searchSecurity/news/366614215/Study-outlines-severe-security-issues-in-cloud-providers
[6] https://thenimblenerd.com/article/cloudy-with-a-chance-of-data-breaches-e2ee-platforms-under-fire/
[7] https://cybermaterial.com/severe-flaws-found-in-cloud-storage-services/
[8] https://thehackernews.com/2024/10/researchers-discover-severe-security.html
[9] https://www.metacurity.com/australian-man-wanted-by-the-fbi-busted-in-italy-for-scamming-vulnerable-people/
[10] https://www.techworm.net/2024/10/major-cloud-storage-severe-security-flaws.html
