An in-depth analysis conducted by researchers at Swiss university ETH Zurich has revealed severe cryptographic vulnerabilities in five end-to-end cloud storage providers. The whitepaper, titled “End-to-End Encrypted Cloud Storage in the Wild: A Broken Ecosystem,” authored by ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, highlighted the vulnerabilities present in Icedrive, pCloud, Seafile, Sync, and Tresorit.

The research, which examined the security of these cloud storage systems, found that four out of the five providers had significant cryptographic vulnerabilities that could pose risks to the confidentiality of user data. Despite not being as prominent as major players like Google and AWS, these providers collectively serve over 22 million users and store vast amounts of data, making the vulnerabilities a cause for concern.

The analysis conducted by Hofmann and Truong encompassed various types of attacks that could compromise the security of the systems. These attacks targeted confidentiality, file data, metadata, and even allowed malicious servers to inject files into users’ storage, creating the potential for data tampering and unauthorized access to sensitive information.

Specific vulnerabilities were identified in each of the providers, such as the ability for a malicious server to force the client to encrypt files using an attacker-controlled key, allowing for decryption by the attacker. Issues with public key infrastructure and out-of-band verification were also found in Sync and Tresorit, potentially compromising shared folder confidentiality.

Furthermore, attacks exploiting authentication issues of file chunks were discovered in Seafile and pCloud, enabling attackers to manipulate file contents. Metadata vulnerabilities were prevalent in Sync, pCloud, Icedrive, and Seafile, with issues related to file content binding, file path manipulation, and lack of metadata integrity protection.

One of the most concerning vulnerabilities identified was the ability for attackers to inject files into users’ storage in a way that appeared indistinguishable from user-uploaded files. This could potentially lead to scenarios where incriminating material is planted in user storage, enabling blackmail. Sync and pCloud were specifically vulnerable to these types of attacks.

While all five providers were found to have security flaws, Tresorit emerged as the least affected due to its thoughtfully designed system and choice of cryptographic primitives. The researchers notified the vendors of the issues and suggested coordinated disclosures for vulnerabilities found, with varying responses from each provider.

Sync, pCloud, Seafile, and Icedrive were contacted for vulnerabilities found, with responses varying from acknowledgment and fixes in progress to lack of response. Tresorit engaged in discussions regarding cryptographic design improvements. Moving forward, the providers are expected to address the identified vulnerabilities to enhance the security of their cloud storage systems.

In response to the findings, a spokesperson for Sync assured that steps are being taken to address the issues and that the potential data leak problem has already been fixed. Similarly, Icedrive emphasized the security of their zero-knowledge encrypted data and their commitment to updating encryption methods to align with industry standards.

The vulnerabilities identified in the study highlight the importance of robust security measures in cloud storage systems to safeguard user data and maintain confidentiality. As the providers work towards resolving the issues, ongoing vigilance and adherence to best security practices will be crucial in ensuring the integrity and privacy of user data.

Source link