Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data.
“The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext,” ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong said. “Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs.”
The identified weaknesses are the result of an analysis of five major providers such as Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised attack techniques hinge on a malicious server that’s under an adversary’s control, which could then be used to target the service providers’ users.
A brief description of the flaws uncovered in the cloud storage systems is as follows –
These attacks fall into one of the 10 broad classes that violate confidentiality, target file data and metadata, and allow for injection of arbitrary files –
“Not all of our attacks are sophisticated in nature, which means that they are within reach of attackers who are not necessarily skilled in cryptography. Indeed, our attacks are highly practical and can be carried out without significant resources,” the researchers said in an accompanying paper.
“Additionally, while some of these attacks are not novel from a cryptographic perspective, they emphasize that E2EE cloud storage as deployed in practice fails at a trivial level and often does not require more profound cryptanalysis to break.”
While Icedrive has opted not to address the identified issues following responsible disclosure in late April 2024, Sync, Seafile, and Tresorit have acknowledged the report. The Hacker News has reached out to each of them for further comment, and we will update the story if we hear back.
The findings come a little over six months after a group of academics from King’s College London and ETH Zurich detailed three distinct attacks against Nextcloud’s E2EE feature that could be abused to break confidentiality and integrity guarantees.
“The vulnerabilities make it trivial for a malicious Nextcloud server to access and manipulate users’ data,” the researchers said at the time, highlighting the need to treat all server actions and server-generated inputs as adversarial to address the problems.
Back in June 2022, ETH Zurich researchers also demonstrated a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data.