Severe flaws in E2EE cloud storage platforms used by millions
Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors.
Cryptographic analysis from ETH Zurich researchers Jonas Hofmann and Kien Tuong Turong revealed issue with Sync, pCloud, Icedrive, Seafile, and Tresorit services, collectively used by more than 22 million people.
The analysis was based on the threat model of an attacker controlling a malicious server that can read, modify, and inject data at will, which is realistic for nation-state actors and sophisticated hackers.
The team comments that many of the discovered flaws directly oppose the marketing promises of the platforms, which create a deceptive and false premise for customers.
The ETH Zurich researchers found serious vulnerabilities in all five products, including implementations that allow a malicious actor to inject files, tamper with data, or gain access to user files. Here's an overview of the discovered issues:
Out of the examined group of five, Tresorit fared relatively better, as the issues discovered do not directly expose file contents or allow for easy data manipulation.
