October 21, 2024 at 03:12AM
Cybersecurity researchers identified serious cryptographic vulnerabilities in end-to-end encrypted cloud storage platforms (Sync, pCloud, Icedrive, Seafile, Tresorit) that allow malicious servers to leak sensitive data, tamper with files, and access plaintext. Some providers acknowledged the issues, while Icedrive has not taken corrective action.
### Meeting Takeaways: October 21, 2024
**Topic: Encryption / Data Protection Vulnerabilities in E2EE Cloud Storage Platforms**
1. **Recent Findings**: Cybersecurity researchers from ETH Zurich have identified serious cryptographic vulnerabilities in several end-to-end encrypted (E2EE) cloud storage services, including Sync, pCloud, Icedrive, Seafile, and Tresorit.
2. **Common Issues**: Many of the platforms share similar vulnerabilities, indicating widespread design flaws in their cryptographic implementations. Several attack methods can compromise confidentiality and data integrity.
3. **Specific Vulnerabilities**:
– **Sync**: Malicious servers can breach file confidentiality, inject files, and tamper with content. Issues include lack of authentication for user key material and unauthenticated public keys.
– **pCloud**: Similar to Sync, with vulnerabilities allowing for confidentiality breaches and file tampering. It is also susceptible to rogue file injection.
– **Seafile**: Vulnerable to password brute-forcing, file tampering, and an encryption protocol downgrade.
– **Icedrive**: Affected by integrity breaches and file tampering, using unauthenticated encryption modes.
– **Tresorit**: Risks include presenting non-authentic keys and metadata tampering.
4. **Attack Types**: The vulnerabilities can be categorized into ten broad classes, including:
– Lack of authentication for keys
– Unauthenticated public keys
– Encryption protocol downgrades
– Link-sharing pitfalls
– Unauthenticated encryption modes
– Tampering with file metadata and names
5. **Security Implications**: The ease with which these vulnerabilities can be exploited suggests that even attackers with limited cryptographic knowledge can effectively compromise data security.
6. **Response from Providers**:
– Icedrive has not addressed the issues reported.
– Sync, Seafile, and Tresorit have acknowledged the vulnerabilities.
– Follow-up communications with these providers are expected.
7. **Context**: This report follows similar research findings from King’s College London and ETH Zurich, which highlighted vulnerabilities in Nextcloud and previously in MEGA.
**Next Steps**:
– Monitor responses from the affected cloud storage providers.
– Consider additional analysis or recommendations for improving data protection strategies across these platforms.
**For Further Reading**: Follow updates on Twitter and LinkedIn for more exclusive content related to cybersecurity research.