October 20, 2024 at 12:10PM
Research from ETH Zurich highlights vulnerabilities in five end-to-end encrypted cloud storage platforms: Sync, pCloud, Icedrive, Seafile, and Tresorit, affecting over 22 million users. Issues include unauthorized data access and manipulation. Sync acted quickly to address concerns, while other providers have been slower to respond or decline to comment.
### Meeting Takeaways
**Overview of Security Vulnerabilities:**
– A recent analysis by ETH Zurich researchers identified vulnerabilities in several end-to-end encrypted (E2EE) cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit. These services have a combined user base of over 22 million people.
**Key Findings:**
1. **General Vulnerabilities Across Platforms:**
– All five services exhibited serious flaws that could allow malicious actors to inject files, tamper with data, or access user files, contradicting their marketed promises of security.
2. **Platform-Specific Issues:**
– **Sync:**
– Unauthenticated key material, allowing arbitrary encryption keys.
– Lack of public key authentication for file sharing.
– Vulnerable shared links and unauthorized file actions (e.g., renaming, moving).
– **pCloud:**
– Unauthenticated key material leading to overwriting of private keys.
– Metadata manipulation possibilities and authentication failures in chunking.
– **Icedrive:**
– Unauthenticated encryption permitting file tampering and chunk manipulation.
– **Seafile:**
– Vulnerable to protocol downgrades, facilitating brute-force attacks and tampering.
– **Tresorit:**
– Relatively better security, but operates with server-controlled certificates that could be compromised.
**Vendor Response:**
– **Sync:** Acknowledged issues, claimed to have fixed the data leak vulnerability and is fast-tracking fix implementation for other issues. Emphasizes the commitment to security.
– **Tresorit:** Highlighted that the overall design protects against major vulnerabilities and has plans for enhancing security measures in 2025, including out-of-band verification for public key sharing.
– **Seafile:** Currently has no comments on the situation.
– **Icedrive and pCloud:** No response received as of October 10, 2024.
### Action Items:
– Monitoring progress on promised fixes from Sync and Seafile.
– Following up with pCloud and Icedrive for their responses to the findings.
– Analyzing Tresorit’s upcoming features to enhance their security protocol.