Key Takeaways
- Vulnerabilities in multiple end-to-end encrypted (E2EE) cloud storage platforms have been exposed by a recent study.
- The services pCloud, Sync, Icedrive, Seafile, and Tresorit were shown to be susceptible.
- These sites are used by more than 22 million people, which presents a serious security risk.
According to a new study conducted by experts at ETH Zurich, there are significant security vulnerabilities in a number of end-to-end encrypted (E2EE) cloud storage services.
Malicious actors may be able to access user data using these vulnerabilities, particularly if they have control of a malicious server that has the ability to read, alter, or inject data. This kind of danger is especially worrisome because it may originate from nation-state actors or even skilled hackers.
Researchers discovered flaws in Sync, pCloud, and other platforms.
E2EE cloud storage systems such as pCloud, Sync, Icedrive, Seafile, and Tresorit are vulnerable to a number of threats, per the thorough investigation paper.
In theory, E2EE keeps third parties from accessing data while it is in transit by making sure it is encrypted on the sender’s device and only decrypted on the recipient’s device.
However, according to the report, platforms that use this encryption technique are vulnerable to a number of threats that might jeopardize millions of users’ data.
For example, unauthenticated key material in pCloud is vulnerable, allowing attackers to overwrite private keys. Similar problems with Sync allow hackers to insert their own encryption keys, jeopardizing the integrity of the data.
Icedrive has its own problems because it uses unauthenticated cipher block chaining (CBC) encryption, which has a flaw that allows malicious actors to change file names and contents.
Seafile’s dependence on unauthenticated CBC encryption further permits file tampering, and protocol downgrades put it in danger for password brute-forcing attacks.
Tresorit has limitations as well because it relies on server-controlled certificates for public key authentication. An attacker may readily access shared files if they were to alter these certificates.
However, the analytical report pointed out that the E2EE paradigm is not used by popular cloud storage providers like Dropbox, OneDrive, and Google Drive. To avoid being intercepted by hostile actors, the platforms instead employ Transport Layer Security, or TLS, during transmission and 256-bit AES encryption at rest.
These disclosures are in line with a StationX.net analysis that indicated cloud-stored data was involved in 82% of data breaches in 2023. As cloud storage continues to take the lead in how individuals store and access their data, this figure highlights the increasing need for stronger security measures.
People and organizations need to think about the consequences of depending on E2EE cloud storage solutions in light of these vulnerabilities.
