Cybersecurity researchers have found extreme cryptographic points in varied end-to-end encrypted (E2EE) cloud storage platforms that might be exploited to leak delicate knowledge.
“The vulnerabilities vary in severity: in lots of instances a malicious server can inject recordsdata, tamper with file knowledge, and even achieve direct entry to plaintext,” ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong stated. “Remarkably, lots of our assaults have an effect on a number of suppliers in the identical approach, revealing frequent failure patterns in unbiased cryptographic designs.”
The recognized weaknesses are the results of an evaluation of 5 main suppliers reminiscent of Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised assault strategies hinge on a malicious server that is below an adversary’s management, which might then be used to focus on the service suppliers’ customers.
A short description of the failings uncovered within the cloud storage techniques is as follows –
- Sync, during which a malicious server might be used to interrupt the confidentiality of uploaded recordsdata, in addition to injecting recordsdata and tampering with their content material
- pCloud, during which a malicious server might be used to interrupt the confidentiality of uploaded recordsdata, in addition to injecting recordsdata and tampering with their content material
- Seafile, during which a malicious server might be used to speed-up brute-forcing of consumer passwords, in addition to injecting recordsdata and tampering with their content material
- Icedrive, during which a malicious server might be used to interrupt the integrity of uploaded recordsdata, in addition to injecting recordsdata and tampering with their content material
- Tresorit, during which a malicious server might be used to current non-authentic keys when sharing recordsdata and to tamper with some metadata within the storage
These assaults fall into one of many 10 broad courses that violate confidentiality, goal file knowledge and metadata, and permit for injection of arbitrary recordsdata –
- Lack of authentication of consumer key materials (Sync and pCloud)
- Use of unauthenticated public keys (Sync and Tresorit)
- Encryption protocol downgrade (Seafile),
- Hyperlink-sharing pitfalls (Sync)
- Use of unauthenticated encryption modes reminiscent of CBC (Icedrive and Seafile)
- Unauthenticated chunking of recordsdata (Seafile and pCloud)
- Tampering with file names and placement (Sync, pCloud, Seafile, and Icedrive)
- Tampering with file metadata (impacts all 5 suppliers)
- Injection of folders right into a consumer’s storage by combining the metadata-editing assault and exploiting a quirk within the sharing mechanism (Sync)
- Injection of rogue recordsdata right into a consumer’s storage (pCloud)
“Not all of our assaults are refined in nature, which implies that they’re inside attain of attackers who will not be essentially expert in cryptography. Certainly, our assaults are extremely sensible and could be carried out with out important assets,” the researchers stated in an accompanying paper.
“Moreover, whereas a few of these assaults will not be novel from a cryptographic perspective, they emphasize that E2EE cloud storage as deployed in apply fails at a trivial stage and infrequently doesn’t require extra profound cryptanalysis to interrupt.”
Whereas Icedrive has opted to not deal with the recognized points following accountable disclosure in late April 2024, Sync, Seafile, and Tresorit have acknowledged the report. The Hacker Information has reached out to every of them for additional remark, and we’ll replace the story if we hear again.
The findings come a bit over six months after a bunch of teachers from King’s Faculty London and ETH Zurich detailed three distinct assaults towards Nextcloud’s E2EE characteristic that might be abused to interrupt confidentiality and integrity ensures.
“The vulnerabilities make it trivial for a malicious Nextcloud server to entry and manipulate customers’ knowledge,” the researchers stated on the time, highlighting the necessity to deal with all server actions and server-generated inputs as adversarial to deal with the issues.
Again in June 2022, ETH Zurich researchers additionally demonstrated a variety of important safety points within the MEGA cloud storage service that might be leveraged to interrupt the confidentiality and integrity of consumer knowledge.
