Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data.
"The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext," ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong said. "Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs."
The identified weaknesses are the result of an analysis of five major providers such as Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised attack techniques hinge on a malicious server that's under an adversary's control, which could then be used to target the service providers' users.
A brief description of the flaws uncovered in the cloud storage systems is as follows -
- Sync, in which a malicious server could be used to break the confidentiality of uploaded files, as well as injecting files and tampering with their content
- pCloud, in which a malicious server could be used to break the confidentiality of uploaded files, as well as injecting files and tampering with their content
- Seafile, in which a malicious server could be used to speed-up brute-forcing of user passwords, as well as injecting files and tampering with their content
- Icedrive, in which a malicious server could be used to break the integrity of uploaded files, as well as injecting files and tampering with their content
- Tresorit, in which a malicious server could be used to present non-authentic keys when sharing files and to tamper with some metadata in the storage
These attacks fall into one of the 10 broad classes that violate confidentiality, target file data and metadata, and allow for injection of arbitrary files -
- Lack of authentication of user key material (Sync and pCloud)
- Use of unauthenticated public keys (Sync and Tresorit)
- Encryption protocol downgrade (Seafile),
- Link-sharing pitfalls (Sync)
- Use of unauthenticated encryption modes such as CBC (Icedrive and Seafile)
- Unauthenticated chunking of files (Seafile and pCloud)
- Tampering with file names and location (Sync, pCloud, Seafile, and Icedrive)
- Tampering with file metadata (impacts all five providers)
- Injection of folders into a user's storage by combining the metadata-editing attack and exploiting a quirk in the sharing mechanism (Sync)
- Injection of rogue files into a user's storage (pCloud)
"Not all of our attacks are sophisticated in nature, which means that they are within reach of attackers who are not necessarily skilled in cryptography. Indeed, our attacks are highly practical and can be carried out without significant resources," the researchers said in an accompanying paper.
"Additionally, while some of these attacks are not novel from a cryptographic perspective, they emphasize that E2EE cloud storage as deployed in practice fails at a trivial level and often does not require more profound cryptanalysis to break."
While Icedrive has opted not to address the identified issues following responsible disclosure in late April 2024, Sync, Seafile, and Tresorit have acknowledged the report. The Hacker News has reached out to each of them for further comment, and we will update the story if we hear back.
The findings come a little over six months after a group of academics from King's College London and ETH Zurich detailed three distinct attacks against Nextcloud's E2EE feature that could be abused to break confidentiality and integrity guarantees.
"The vulnerabilities make it trivial for a malicious Nextcloud server to access and manipulate users' data," the researchers said at the time, highlighting the need to treat all server actions and server-generated inputs as adversarial to address the problems.
Back in June 2022, ETH Zurich researchers also demonstrated a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data.
Responses from the companies
Icedrive - We are aware of this research paper. The paper describes possible attacks within the "compromised server" threat model, where an adversary gains full control over a file server and can modify or delete files. The paper also mentions the use of a MITM server which must be able to decrypt HTTPS/SSL traffic.
We want to reassure our users that there is no real danger to the zero-knowledge encrypted data stored on our servers - it cannot be decrypted without knowing the passphrase. If someone gains full control over a file server (which in itself is not an easy task) and tampers with a user's files, our apps will detect this using the file integrity checks we have and will not decrypt the files, issuing an error warning.
We are constantly improving our apps and services, fixing issues and adding new features. We will carefully review our encryption methods and update them to comply with current industry standards.
Sync - Our security team became aware of these issues on October 11, and we've since taken swift action to address them. We've also reached out to the research team to share findings and collaborate on next steps.
The potential data leak issue on links (as reported) has already been fixed, and we are fast-tracking fixes for the remaining potential issues right now. As the research paper outlines, these vulnerabilities exist under the pretext of a compromised server. There is no evidence that these vulnerabilities have been exploited or that file data has been accessed.
We understand that by using Sync, trust is placed in us. But the promise of end-to-end encryption is that you don't need to trust anyone, not even us. This concept is at the core of our encryption model and central to what we do.
We're committed to getting these issues resolved.
Tresorit - The study of ETH Zürich's world-class research team examined the possibility of ten classes of attacks on end-to-end-encrypted cloud storage systems, including confidentiality breaches and file injection vulnerabilities. The findings confirmed that Tresorit's thoughtful design and cryptographic choices made our system largely unaffected by these attacks. While we are pleased with these results, we also recognize the untapped potential the research highlighted.
Presenting public key fingerprints to users when sharing folders is on our 2025 roadmap. This will completely prevent key replacement attacks by allowing out-of-band verification. We already do this for business invitations so the user can get cryptographic evidence about their future data administrator before joining. Our Common Criteria EAL4 + AVA_VAN.5 evaluated client software — a first among cloud storage services — requires out-of-band key authentication for folder sharing, too.
Even though some metadata, such as the file size, the time of last modification, and folder memberships are shared with the servers, these are also stored as cryptographically authenticated data to prevent tampering. This metadata is also needed to be known on the server side: for the proper bookkeeping of our customers' storage quota, and to enforce server-side access rules as an additional layer of security.
At Tresorit, security is our top priority, and we are committed to continuous improvement, using these insights to strengthen our platform further. This research not only helps us evolve but also guides the broader industry toward more secure solutions. Security is the foundation of everything we build, and we are proud to collaborate with academic institutions like the Technical University in Budapest to ensure that we stay at the forefront of innovation in secure cloud storage.
Seafile - For protocol downgrade attack, a check has been added in 9.0.6 version, to ensure the client only accepts protocol version >= 2.
For unauthenticated encryption and unauthenticated chunking, data integrity of encrypted library is not in the scope of our design. The design goal of encrypted library is to prevent the admin from knowing the contents of [a] user's files. Statements about this limitation has been added to our manual: https://manual.seafile.com/security/security_features/
For other metadata related issues, like tampering with file names and locations, it is beyond our design goal too.
pCloud - At pCloud, safeguarding our users' data is our highest priority. Our encryption service is designed to provide top-level protection, ensuring your information remains secure at all times.
We are aware of recent research discussing theoretical attack scenarios. We want to reassure you that these findings do not compromise the actual security of your files. While we appreciate the importance of security research, some aspects of the report contain inaccuracies or are based on highly unrealistic conditions that do not reflect real-world threats.
We take all security concerns seriously and are committed to transparency with our users. Should any actionable insights arise from this research, we will promptly implement enhancements to further strengthen our security measures.
We remain dedicated to providing a highly secure cloud storage solution and are confident that our encryption service is among the safest options available worldwide.