The Hidden Dangers of End-To-End Encrypted Cloud Storage Platforms

Severe cryptographic vulnerabilities have been uncovered in several popular end-to-end encrypted (E2EE) cloud storage platforms used by millions of people, sending shockwaves through the cybersecurity community.

ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong recently conducted a groundbreaking study analyzing five major E2EE providers—Sync, pCloud, Icedrive, Seafile, and Tresorit—and exposed significant flaws in four of them.

Their study, published earlier this month, sheds light on serious security concerns surrounding these services, especially in scenarios where a malicious server could potentially compromise user data without detection.

The researchers delved into how a compromised server could manipulate, insert, or even access files that users believe are shielded by E2EE protection.

Alarmingly, the findings revealed that four out of the five platforms—Sync, pCloud, Icedrive, and Seafile—are susceptible to various attacks, including file injection, metadata manipulation, and unauthorized access to plaintext data. Notably, Tresorit emerged as the only provider free from these vulnerabilities.

Key Vulnerabilities Unveiled

The researchers identified several critical attack vectors, including:

• File injection, enabling attackers to implant files within a user’s storage space

• Manipulation of filenames and metadata

• Unauthorized access to decrypted content

• Leakage through link-sharing, potentially exposing shared files

Of particular concern was Sync, a widely-used service boasting over two million users, including prominent organizations like the Canadian Red Cross and the University of Toronto. The study highlighted Sync’s vulnerability to these attacks, casting doubts on its confidentiality and data integrity assurances.

Find out more about the pitfalls of secure cloud storage: Cybercriminals Exploit Cloud Storage For SMS Phishing Scams

A Plea for Enhanced Cryptographic Standards

The research attributed these vulnerabilities to common flaws in cryptographic design, affecting multiple providers in a similar fashion. This revelation underscores broader issues in the development of E2EE cloud storage solutions.

“We do not allege malicious intent on the part of the providers themselves. However, the sensitive nature of the data they safeguard makes them lucrative targets for nation-state adversaries and cybercriminals seeking to compromise servers and launch attacks against users,” cautioned Hofmann and Tuong Truong.

The affected companies were promptly notified of these findings earlier this year, with Seafile committing to rectifying the identified issues. However, responses from Sync and pCloud are still pending.