Security vulnerabilities may put millions of users utilizing end-to-end encrypted (E2EE) cloud storage solutions at risk. In one such incident, a recent cryptographic study conducted by researchers at ETH Zurich has revealed significant security flaws in multiple end-to-end encrypted (E2EE) cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit.
Relied upon by more than 22 million users, these platforms, as per researchers Jonas Hofmann and Kien Tuong Truong, are susceptible to attacks that could jeopardize user data to malicious actors. They pointed out that many of the flaws uncovered directly contradict the marketing claims made by these services, creating a misleading sense of security for users.
“The vulnerabilities pervading E2EE cloud storage highlight a critical blind spot in our grasp of the field,” wrote Truong and Hofmann. “Our findings strongly suggest that, in its current stage, the ecosystem of E2EE cloud storage is largely broken and requires significant reevaluation of its foundations.”
The analysis uncovered critical vulnerabilities in all five products, including issues that let malicious actors inject files, alter data, or access user files. For instance, Sync's vulnerabilities involve unauthenticated key material, permitting attackers to introduce their own encryption keys and jeopardize data security.
pCloud's primary vulnerabilities arise from unauthenticated key material, enabling attackers to overwrite private keys and enforce encryption with keys they control. Icedrive's reliance on unauthenticated CBC encryption leaves it open to file tampering, whereas Seafile is susceptible to protocol downgrades, facilitating password brute-forcing. Additionally, Tresorit's public key authentication depends on server-controlled certificates, which attackers could replace to gain access to shared files.
The researchers, in their study, alerted the affected vendors, and several have outlined plans to resolve the issues. While Sync has promptly moved to address the vulnerabilities, Tresorit has acknowledged the findings and is committed to making continuous improvements.
Though, Icedrive has chosen not to address the issues, while Seafile has committed to fixing the protocol downgrade problem in an upcoming update. The identification of these significant vulnerabilities underscores the necessity of strong security measures in E2EE cloud storage platforms and the importance of vendors prioritizing the protection of user data.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
