Several major end-to-end encrypted cloud storage services contain cryptographic flaws that could lead to loss of confidentiality, file tampering, file injection and more, researchers from ETH Zurich said in a paper published this month.
The five cloud services studied offer end-to-end encryption (E2EE), intended to ensure files can not be read or edited by anyone other than the uploader, meaning not even the cloud storage provider can access the files.
However, ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, who presented their findings at the ACM Conference on Computer and Communications Security (CCS) last week, found serious flaws in four out of the five services that could effectively bypass the security benefits provided by E2EE by enabling an attacker who managed to compromise a cloud server to access, tamper with or inject files.
The E2EE cloud storage services studied were Sync, pCloud, Seafile, Icedrive and Tresorit, which have a collective total of about 22 million users. Tresorit had the fewest vulnerabilities, which could enable some metadata tampering and use of non-authentic keys when sharing files. The other four services were found to have more severe flaws posing a greater risk to file confidentiality and integrity.
10 attacks E2EE cloud service exploits examined
The researchers tested 10 potential exploits against E2EE cloud storage services; all of these exploits would require the attacker to have already gained control of a server with the ability to read, modify and inject data. The authors wrote that they consider this to be a realistic threat model for E2EE services, as these services are meant to protect files even if such a compromise was to occur.
Two services, Sync and pCloud were found to be vulnerable to exploitation due to unauthenticated key material, which would allow an attacker to substitute or inject their own encryptions keys and ultimately unencrypt and access uploaded files.
Sync and Tresorit were also found to have unauthenticated public keys, which could potentially allow for replacement of public keys with attacker-controlled keys during file sharing between users.
Seafile was found to have a flaw that enabled downgrading of the encryption protocol to use fewer iterations of the Key Derivation Function (KDF) and increase the risk of brute-force attacks.
Sync additionally had a flaw in which decryption passwords were leaked through file-sharing links, undermining confidentiality.
Unauthenticated encryption modes were used by Icedrive and Seafile, which could enable an attacker to tamper with the ciphertext and thus alter and corrupt file contents. Unauthenticated chunking – the process of separating files into storage chunks – was also an issue for pCloud, Icedrive and Seafile, opening the potential for attackers to reorder, remove or corrupt chunks, endangering file integrity.
The researchers additionally tested their ability to exploit flaws in the services to tamper with file names, tamper with metadata, inject files and inject folders into the user’s storage. All of the tested services, except for Tresorit, enabled file-name tampering, and all five services enabled metadata tampering. pCloud enabled file injection into user storage, while Sync, Icedrive and Seafile also risked file injection but only under specific circumstances. Folder injection was found to be possible on Sync, pCloud and Seafile.
Overall, all of the services leaked metadata and directory structure to the attacker, while Seafile also leaked some plaintext information due to the use of a fixed initialization vector (IV) for encryption of all chunks, which can reveal similarities in plaintexts between chunks.
The authors said the flaws uncovered by their research reveal a pervasive problem throughout E2EE cloud service market, noting that similar flaws were present across multiple services. They conclude that more analyses of E2EE cloud storage systems “in the wild” are needed to better understand the current challenges facing deployed systems, and that the industry should ultimately aim for a standard protocol for secure E2EE cloud storage.
The researchers disclosed their findings to Sync, pCloud, Seafile and Icedrive on April 23, 2024, and to Tresorit on Sept. 27, 2024. Sync and pCloud had not responded to the researchers by the time they published their paper, while Seafile said they planned to patch the protocol downgrade issue and Icedrive opted not to address the reported issues. Tresorit was said to have acknowledged the researchers’ email on Sept. 30.
BleepingComputer reported that Sync has since said they are “fast-tracking fixes” for the reported issues, and that the issue of data leaks via sharing links has already been fixed.