Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
A team of scientists from the Swiss Federal Institute of Technology in Zurich has discovered vulnerabilities in the encryption schemes of E2EE cloud storage providers that could allow attackers to decrypt data and gain access to customer files.
Cryptographic analysis of the five major vendors in the field, including Sync, pCloud, Icedrive, Seafile, and Tresorit, was implemented in a malicious server environment.
This means that the server is controlled by an attacker who can read, modify, and enter data at will, implementing a strong attacker model, but the most realistic for E2EE cloud storage.
Moreover, as the researchers note, this model is fully consistent with the security statements of the suppliers themselves.
However, in reality, cryptographic algorithms still do not match the descriptions in their respective security whitepapers.
Of course, the providers themselves are unlikely to act maliciously, which cannot be said about APTs, which, given the importance of the stored data, will certainly try to hack the server and organize attacks on users.
In general, the cloud E2EE services Seafile, IceDrive, pCloud and Sync turned out to be leaky.
The impact ranges from injecting malicious files into the repository or modifying them to gaining direct access to the plaintext.
Vulnerabilities were also found in the Tresorit service, but they only allowed attackers to modify metadata.
Notably, many of the attacks developed affect multiple vendors in the same way, displaying common patterns of failures in independent cryptographic constructs.
The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings as early as April 23, 2024, proposing coordinated vulnerability disclosure and a standard disclosure window of 90 days.
Icedrive confirmed receipt of the report on the same day and, after a brief exchange, decided not to bother with it. In turn, Seafile confirmed receipt on April 24, 2024 and promised to fix the problem.
As of October 10, 2024, Sync and pCloud have not responded, and Tresorit only confirmed receipt of the report at the end of September.
Based on their findings, in addition to the MEGA and Nextcloud analysis, the E2EE cloud services market is still "immature" (and requires more fundamental work on privacy).
Cryptographic analysis of the five major vendors in the field, including Sync, pCloud, Icedrive, Seafile, and Tresorit, was implemented in a malicious server environment.
This means that the server is controlled by an attacker who can read, modify, and enter data at will, implementing a strong attacker model, but the most realistic for E2EE cloud storage.
Moreover, as the researchers note, this model is fully consistent with the security statements of the suppliers themselves.
However, in reality, cryptographic algorithms still do not match the descriptions in their respective security whitepapers.
Of course, the providers themselves are unlikely to act maliciously, which cannot be said about APTs, which, given the importance of the stored data, will certainly try to hack the server and organize attacks on users.
In general, the cloud E2EE services Seafile, IceDrive, pCloud and Sync turned out to be leaky.
The impact ranges from injecting malicious files into the repository or modifying them to gaining direct access to the plaintext.
Vulnerabilities were also found in the Tresorit service, but they only allowed attackers to modify metadata.
Notably, many of the attacks developed affect multiple vendors in the same way, displaying common patterns of failures in independent cryptographic constructs.
The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings as early as April 23, 2024, proposing coordinated vulnerability disclosure and a standard disclosure window of 90 days.
Icedrive confirmed receipt of the report on the same day and, after a brief exchange, decided not to bother with it. In turn, Seafile confirmed receipt on April 24, 2024 and promised to fix the problem.
As of October 10, 2024, Sync and pCloud have not responded, and Tresorit only confirmed receipt of the report at the end of September.
Based on their findings, in addition to the MEGA and Nextcloud analysis, the E2EE cloud services market is still "immature" (and requires more fundamental work on privacy).
