There Are Security Flaws With Major E2EE Cloud Storage Providers

Encryption alone might not always be enough.
October 22, 2024
 / 
meritsolutions
 / 
Image

End-to-end encryption (E2EE) is supposed to protect important files with cryptographic technology: Without the key, no one should be able to read the encrypted files. However, when there are security flaws in the process, threat actors can, theoretically, break or bypass that encryption.

As reported by The Hacker News, researchers recently uncovered “severe cryptographic issues” in a number of cloud storage programs that power E2EE services. These issues, in the hands of a threat actor, could be exploited, to allow said actor to break the encryption and steal the data it is supposed to be protecting.

According to researchers, “the vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext…Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs.”

Researchers devised attack techniques to test different E2EE systems: The attacks, in theory, could be used by a malicious server to target the users of the E2EE services.

Researchers found five E2EE platforms with similar vulnerabilities to their tests. A malicious server could break the “confidentiality” of files through the providers Sync and pCloud, for example, and could also inject those files with malware and manipulate their contents. Seafile, on the other hand, could be affected by a speed-up brute-forcing of their users’ passwords, and could be affected by malware injection and content manipulation. A malicious server could break the “integrity” of files uploaded to Icedrive. Tresorit had the most unique situation, as a malicious server could present false keys when sharing files.

While some of these test attacks were sophisticated, not all of them were. Researchers argue that attackers then do not need to be particularly experienced in cryptography to pull this off, which is concerning. What’s more, this isn’t the only research into cloud-based E2EE security issues: Six months ago, another group of researchers found that three attacks targeting an E2EE feature of the company Nextcloud could be exploited to break confidentiality in its encryption.

The companies that have responded to the security report (and not all of them have) have had different reactions to it. Icedrive, for example, acknowledges the report, but says there is no real danger to its user’s data stored on their servers: If a threat actor does somehow break into the servers and access files, Icedrive says its security protocols can ensure the files will simply not decrypt: The only way to decrypt the files is with the passphrase.

Sync, on the other hand, says they have taken “swift action” to fix the issues outlined in the report.

Share This

Leave a Reply



Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.