Article Details

Severe flaws in E2EE cloud storage platforms used by millions. Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. Cryptographic analysis from ETH Zurich researchers Jonas Hofmann and Kien Tuong Turong revealed issue with Sync, pCloud, Icedrive, Seafile, and Tresorit services, collectively used by more than 22 million people. The analysis was based on the threat model of an attacker controlling a malicious server that can read, modify, and inject data at will, which is realistic for nation-state actors and sophisticated hackers. The team comments that many of the discovered flaws directly oppose the marketing promises of the platforms, which create a deceptive and false premise for customers. Findings The ETH Zurich researchers found serious vulnerabilities in all five products, including implementations that allow a malicious actor to inject files, tamper with data, or gain access to user files. Here's an overview of the discovered issues: Out of the examined group of five, Tresorit fared relatively better, as the issues discovered do not directly expose file contents or allow for easy data manipulation. Disclosure and vendor responses The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. Icedrive decided not to address the issues, Seafile promised to patch the protocol downgrade problem on a future upgrade, while Sync and pCloud had not responded as of October 10, 2024. BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. Sync: Our security team became aware of these issues last week, and we've since taken swift action to address them. We've also reached out to the research team to share findings and collaborate on next steps. The potential data leak issue on links (as reported) has already been fixed, and we are fast-tracking fixes for the remaining potential issues right now. As the research paper outlines, these vulnerabilities exist under the pretext of a compromised server. There is no evidence that these vulnerabilities have been exploited or that file data has been accessed. We understand that by using Sync, trust is placed in us. But the promise of end-to-end encryption is that you don't need to trust anyone, not even us. This concept is at the core of our encryption model and central to what we do. We're committed to getting these issues resolved. Tresorit: The study of ETH Zürich's world-class research team examined the possibility of ten classes of attacks on end-to-end-encrypted cloud storage systems, including confidentiality breaches and file injection vulnerabilities. The findings confirmed that Tresorit's thoughtful design and cryptographic choices made our system largely unaffected by these attacks. While we are pleased with these results, we also recognize the untapped potential the research highlighted. Presenting public key fingerprints to users when sharing folders is on our 2025 roadmap. This will completely prevent key replacement attacks by allowing out-of-band verification. We already do this for business invitations so the user can get cryptographic evidence about their future data administrator before joining. Our Common Criteria EAL4 + AVA_VAN.5 evaluated client software — a first among cloud storage services — requires out-of-band key authentication for folder sharing, too. Even though some metadata, such as the file size, the time of last modification, and folder memberships are shared with the servers, these are also stored as cryptographically authenticated data to prevent tampering. This metadata is also needed to be known on the server side: for the proper bookkeeping of our customers' storage quota, and to enforce server-side access rules as an additional layer of security. At Tresorit, security is our top priority, and we are committed to continuous improvement, using these insights to strengthen our platform further. This research not only helps us evolve but also guides the broader industry toward more secure solutions. Security is the foundation of everything we build, and we are proud to collaborate with academic institutions like the Technical University in Budapest to ensure that we stay at the forefront of innovation in secure cloud storage. Seafile: We don't have anything to comment at the moment. Icedrive and pCloud did not respond to BleepingComputer's request for a statement.