Researchers from ETH Zurich have discovered critical security vulnerabilities in several widely used end-to-end encrypted (E2EE) cloud storage services, highlighting significant risks to file confidentiality, data integrity, and overall security. The study evaluated five E2EE cloud storage providers—Sync, pCloud, Seafile, Icedrive, and Tresorit—serving about 22 million users globally, and found that four out of these five services exhibited severe flaws that undermine their security promises.
Findings on Encryption Vulnerabilities
Assessment of Encryption Claims Versus Reality
Despite their claims of robust encryption designed to protect user data from unauthorized access, researchers Jonas Hofmann and Kien Tuong Truong uncovered substantial gaps. These vulnerabilities could allow attackers to bypass encryption, tamper with data, or even inject unauthorized files into users’ storage systems, posing severe risks to those relying on these platforms for secure storage. Their findings were prominently presented at the ACM Conference on Computer and Communications Security (CCS), bringing the issue to the attention of industry professionals and security experts.
The researchers discovered that among the services tested, Tresorit was noted for having the fewest vulnerabilities, with minor risks relating to metadata tampering and non-authentic keys during file sharing. Although these issues are not as severe as others, they still pose specific risks. The remaining four services showed more significant weaknesses, which increase the likelihood of data exposure or tampering. This suggests a need for heightened scrutiny and improvements to the security frameworks of these providers to truly protect user data as advertised.
Key Vulnerabilities Identified
Key vulnerabilities identified in the study include unauthenticated key material in Sync and pCloud, allowing attackers to insert their own keys and decrypt sensitive files. Moreover, Sync and Tresorit were found to be susceptible to unauthorized key replacement during file sharing, which permits attackers to intercept or alter files. Seafile was identified as being vulnerable to protocol downgrade attacks, making it susceptible to brute-force attacks by downgrading to weaker encryption standards favored by attackers.
Icedrive and Seafile’s use of unauthenticated encryption modes also poses a significant concern, as it enables attackers to modify and corrupt file contents. These findings indicate severe flaws that need immediate attention to ensure that the security promises made to users are upheld. The critical nature of these vulnerabilities warrants industry-wide response and solution implementation to mitigate any risks posed to the enormous user base relying on these cloud services.
Providers’ Responses and Future Steps
Informing and Addressing Vulnerabilities
The researchers took responsible disclosure steps by informing the affected providers of these findings in April 2024, witnessing varying responses. Sync and pCloud have thus far remained silent, with no public response or acknowledgment of the critical issues uncovered. On the other hand, Seafile has actively engaged in preparing to patch the identified protocol downgrade issue, showcasing their commitment to user security. Icedrive has taken a different stance by declining to address the concerns raised by the study, which may raise questions about their security-first approach.
Tresorit acknowledged the findings but provided no further comment on their plans to address the vulnerabilities. According to a report from BleepingComputer, however, Sync has been "fast-tracking fixes" and has already resolved some of the identified file-sharing link issues. The varied responses highlight different levels of commitment towards addressing security concerns, with some providers more proactive in ensuring enhanced protections.
Industry Impact and Future Protocols
Researchers at ETH Zurich have identified critical security vulnerabilities within several popular end-to-end encrypted (E2EE) cloud storage services. These weaknesses pose significant threats to file confidentiality, data integrity, and the overall security of the systems. The study analyzed five E2EE cloud storage providers: Sync, pCloud, Seafile, Icedrive, and Tresorit, which collectively serve around 22 million users worldwide. Disturbingly, the findings revealed that four of these five services have severe flaws that compromise their security assurances. This is particularly alarming given the prevailing assumption that E2EE services offer superior protection by encrypting files on the user’s device before uploading them to the cloud. Such vulnerabilities could potentially expose sensitive data to unauthorized access and manipulation, undermining the primary purpose of using encrypted storage services. The study emphasizes the urgent need for these providers to address and rectify these issues to maintain user trust and ensure the robust protection of their data.