Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
22 million users are at risk of losing their data due to security flaws in the services.
Researchers from ETH Zurich conducted a security analysis of five popular end-to-end encrypted cloud storage services: Sync, pCloud, Icedrive, Seafile, and Tresorit. During the study, experts identified serious vulnerabilities on four platforms.
The detected errors make it possible to interfere with user data, replace encryption keys, change the contents of files, and in some cases, gain access to confidential information.
The services are actively used by more than 22 million people, including public and private organizations such as SAP, Pfizer, as well as the governments of Germany and Canada. The study notes that despite the active promotion of zero-knowledge encryption services, the marketing statements of companies do not correspond to the real security of their systems.
The vulnerabilities include the lack of authentication of encryption keys in the Sync and pCloud services, which allows hackers to spoof keys and gain access to encrypted data. Sync and Tresorit lack a mechanism for verifying the authenticity of public keys, which also opens the door to attacks. Seafile is vulnerable to downgrade attacks, which allow cybercriminals to gain access to users' passwords.
In addition, the researchers identified problems with file metadata: in all analyzed services, attackers can change file names, location, and other important parameters, which can lead to file spoofing or misinformation of users.
Experts note that many of the identified problems could have been avoided with the correct use of cryptographic methods. However, these vulnerabilities suggest that the cloud storage ecosystem with E2EE in its current form has significant flaws that require urgent attention from developers.
Source
Researchers from ETH Zurich conducted a security analysis of five popular end-to-end encrypted cloud storage services: Sync, pCloud, Icedrive, Seafile, and Tresorit. During the study, experts identified serious vulnerabilities on four platforms.
The detected errors make it possible to interfere with user data, replace encryption keys, change the contents of files, and in some cases, gain access to confidential information.
The services are actively used by more than 22 million people, including public and private organizations such as SAP, Pfizer, as well as the governments of Germany and Canada. The study notes that despite the active promotion of zero-knowledge encryption services, the marketing statements of companies do not correspond to the real security of their systems.
The vulnerabilities include the lack of authentication of encryption keys in the Sync and pCloud services, which allows hackers to spoof keys and gain access to encrypted data. Sync and Tresorit lack a mechanism for verifying the authenticity of public keys, which also opens the door to attacks. Seafile is vulnerable to downgrade attacks, which allow cybercriminals to gain access to users' passwords.
In addition, the researchers identified problems with file metadata: in all analyzed services, attackers can change file names, location, and other important parameters, which can lead to file spoofing or misinformation of users.
Experts note that many of the identified problems could have been avoided with the correct use of cryptographic methods. However, these vulnerabilities suggest that the cloud storage ecosystem with E2EE in its current form has significant flaws that require urgent attention from developers.
Source
