Cybersecurity researchers have found extreme cryptographic points in numerous end-to-end encrypted (E2EE) cloud storage platforms that might be exploited to leak delicate knowledge.
“The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext,” ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong mentioned. “Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs.”
The recognized weaknesses are the results of an evaluation of 5 main suppliers similar to Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised assault methods hinge on a malicious server that is underneath an adversary’s management, which may then be used to focus on the service suppliers’ customers.
A short description of the failings uncovered within the cloud storage techniques is as follows –
- Sync, by which a malicious server might be used to interrupt the confidentiality of uploaded information, in addition to injecting information and tampering with their content material
- pCloud, by which a malicious server might be used to interrupt the confidentiality of uploaded information, in addition to injecting information and tampering with their content material
- Seafile, by which a malicious server might be used to speed-up brute-forcing of person passwords, in addition to injecting information and tampering with their content material
- Icedrive, by which a malicious server might be used to interrupt the integrity of uploaded information, in addition to injecting information and tampering with their content material
- Tresorit, by which a malicious server might be used to current non-authentic keys when sharing information and to tamper with some metadata within the storage
These assaults fall into one of many 10 broad courses that violate confidentiality, goal file knowledge and metadata, and permit for injection of arbitrary information –
- Lack of authentication of person key materials (Sync and pCloud)
- Use of unauthenticated public keys (Sync and Tresorit)
- Encryption protocol downgrade (Seafile),
- Hyperlink-sharing pitfalls (Sync)
- Use of unauthenticated encryption modes similar to CBC (Icedrive and Seafile)
- Unauthenticated chunking of information (Seafile and pCloud)
- Tampering with file names and site (Sync, pCloud, Seafile, and Icedrive)
- Tampering with file metadata (impacts all 5 suppliers)
- Injection of folders right into a person’s storage by combining the metadata-editing assault and exploiting a quirk within the sharing mechanism (Sync)
- Injection of rogue information right into a person’s storage (pCloud)
“Not all of our attacks are sophisticated in nature, which means that they are within reach of attackers who are not necessarily skilled in cryptography. Indeed, our attacks are highly practical and can be carried out without significant resources,” the researchers mentioned in an accompanying paper.
“Additionally, while some of these attacks are not novel from a cryptographic perspective, they emphasize that E2EE cloud storage as deployed in practice fails at a trivial level and often does not require more profound cryptanalysis to break.”
Whereas Icedrive has opted to not handle the recognized points following accountable disclosure in late April 2024, Sync, Seafile, and Tresorit have acknowledged the report. The Hacker Information has reached out to every of them for additional remark, and we are going to replace the story if we hear again.
The findings come a little bit over six months after a bunch of lecturers from King’s School London and ETH Zurich detailed three distinct assaults towards Nextcloud’s E2EE characteristic that might be abused to interrupt confidentiality and integrity ensures.
“The vulnerabilities make it trivial for a malicious Nextcloud server to access and manipulate users’ data,” the researchers mentioned on the time, highlighting the necessity to deal with all server actions and server-generated inputs as adversarial to handle the issues.
Again in June 2022, ETH Zurich researchers additionally demonstrated numerous vital safety points within the MEGA cloud storage service that might be leveraged to interrupt the confidentiality and integrity of person knowledge.