Study outlines 'severe' security issues in cloud providers

An analysis of five end-to-end cloud storage providers revealed severe cryptographic vulnerabilities, according to a whitepaper published this month by researchers at Swiss university ETH Zurich.

The paper, titled "End-to-End Encrypted Cloud Storage in the Wild: A Broken Ecosystem," was authored by ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong. The study concerns an "in-depth analysis" of five end-to-end cloud storage systems belonging to Icedrive, PCloud, Seafile, Sync and Tresorit. The research ultimately found "severe cryptographic vulnerabilities" in four of the five providers, concluding that "many providers fail to provide an adequate level of security."

Although the providers aren't as large as Google and AWS, Hofmann and Truong noted that the five providers serve more than 22 million cumulative users and store hundreds of petabytes of data.

"Our attacks invalidate the marketing claims made by the providers of these systems, showing that a malicious server can, in some cases, inject files in the encrypted storage of users, tamper with file data, and even gain direct access to the content of the files," the paper read. "Many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs. We conclude by discussing the significance of these patterns beyond the security of the specific providers."

In their analysis, Hofman and Truong conducted an analysis of the aforementioned storage systems with the goal of targeting the confidentiality of file contents as well as metadata -- focusing on file name and location -- and more. The researchers utilized 10 classes of attack across the following four categories:

1. Attacks targeting confidentiality (four attack types).
2. Attacks targeting file data (two attacks).
3. Attacks targeting metadata (two attacks).
4. Two attacks that "can allow an attacker to inject files into the user's storage, making it appear as if the user had uploaded them."

For one attack targeting Sync, "a malicious server is able to force the client to encrypt files using an attacker-controlled key, which then enables the attacker to decrypt them." This issue was also present in PCloud. Sync and Tresorit shared an issue in which they both lacked public key infrastructure and out-of-band verification, which can be used to violate shared folder confidentiality.

In another attack shared by Seafile and PCloud, Hofman and Truong created attacks "that exploit incorrect or lacking authentication of the file chunks, allowing to remove or reorder chunks in a file."

Regarding metadata, Sync, PCloud, Icedrive and Seafile were vulnerable to exploits involving "the binding between files contents, names and paths." A malicious server could exchange the names of two files and, in the case of an Icedrive attack, truncate file names by exploiting a lack of encryption authentication. The researchers claimed that metadata is not integrity-protected in any of the providers, leaving metadata vulnerable.

Sync and PCloud were vulnerable to targeted file injection attacks.

"We provide attacks against Sync and pCloud that allow a malicious server to place files in a user's directory. Specifically, the goal of the adversary is to insert a chosen file into the user's storage, in a way that is indistinguishable from a file that the user uploaded," the report read. "As long as an injected file is indistinguishable from an honestly uploaded file, at least from the user interface, such an attack could be used to place incriminating material in the user's storage, allowing for blackmailing. In Sync, an attacker can inject entire folders into the user's storage (Section 3.4.2). In pCloud, an adversary can add individual files in the storage of the user (Section 3.4.1)."

Full technical details are available in the 14-page report.

Although all five providers had some room for improvement, the researchers argued, Tresorit was the least scathed "due to a comparably more thoughtful design and an appropriate choice of cryptographic primitives."

Hofman and Truong notified all five vendors of issues outlined in the report, suggesting coordinated disclosures with Sync, PCloud, Seafile and Icedrive due to vulnerabilities found. For Tresorit, the researchers contacted the provider to discuss relevant cryptographic design. They said Icedrive acknowledged receipt but opted not to fix outlined issues, Seafile responded and said one of the issues would be addressed, Tresorit acknowledged email receipt, and neither PCloud nor Sync responded to multiple requests as of Sept. 4.

TechTarget Editorial contacted all five vendors for additional comment.

A spokesperson for Sync told TechTarget Editorial that the company's security team became aware on Oct. 11 of issues outlined in the report and that the company has reached out to the research team to share findings and collaborate on next steps. Moreover, the spokesperson said, "The potential data leak issue on links (as reported) has already been fixed, and we are fast-tracking fixes for the remaining potential issues right now."

"As the research paper outlines, these vulnerabilities exist under the pre-text of a compromised server. There is no evidence that these vulnerabilities have been exploited or that file data has been accessed," the spokesperson wrote. "We understand that by using Sync, trust is placed in us. But the promise of end-to-end encryption is that you don't need to trust anyone, not even us. This concept is at the core of our encryption model and central to what we do. We're committed to getting these issues resolved."

A spokesperson for Icedrive said in an email that the company was aware of the research paper and "there is no real danger to the zero-knowledge encrypted data stored on our servers. It cannot be decrypted without knowing the passphrase.

"If someone gains full control over a file server -- which in itself is not an easy task -- and tampers with a user's files, our apps will detect this using the file integrity checks we have and will not decrypt the files, issuing an error warning," the spokesperson said. "We are constantly improving our apps and services, fixing issues and adding new features. We will carefully review our encryption methods and update them to comply with current industry standards."

UPDATE: In an email to TechTarget Editorial, Seafile founder and CEO Daniel Pan addressed the protocol downgrade attack described in the report in which "the adversary can downgrade the security of the encryption protocol [in Seafile], which allows it to attempt brute-force of user passwords."

"For protocol downgrade attack, a check has been added in 9.0.6 version, to ensure the client only accepts protocol version >= 2," Pan wrote. "For unauthenticated encryption and unauthenticated chunking, data integrity of encrypted library is not in the scope of our design. The design goal of encrypted library is [to] prevent the admin from knowing the contents of user's files. Statements about this limitation has been added to our manual. For other metadata related issues, like tampering with file names and locations, it is beyond our design goal too."

Tresorit CTO Peter Budai shared the following statement with TechTarget Editorial:

"The study of ETH Zürich's world-class research team examined the possibility of ten classes of attacks on end-to-end-encrypted cloud storage systems, including confidentiality breaches and file injection vulnerabilities. The findings confirmed that Tresorit's thoughtful design and cryptographic choices made our system largely unaffected by these attacks. While we are pleased with these results, we also recognize the untapped potential the research highlighted.

Presenting public key fingerprints to users when sharing folders is on our 2025 roadmap. This will completely prevent key replacement attacks by allowing out-of-band verification. We already do this for business invitations so the user can get cryptographic evidence about their future data administrator before joining. Our Common Criteria EAL4 + AVA_VAN.5 evaluated client software -- a first among cloud storage services -- requires out-of-band key authentication for folder sharing, too.

Even though some metadata, such as the file size, the time of last modification, and folder memberships are shared with the servers, these are also stored as cryptographically authenticated data to prevent tampering. This metadata is also needed to be known on the server side: for the proper bookkeeping of our customers’ storage quota, and to enforce server-side access rules as an additional layer of security.

At Tresorit, security is our top priority, and we are committed to continuous improvement, using these insights to strengthen our platform further. This research not only helps us evolve but also guides the broader industry toward more secure solutions. Security is the foundation of everything we build, and we are proud to collaborate with academic institutions like the Technical University in Budapest to ensure that we stay at the forefront of innovation in secure cloud storage. 

PCloud did not respond to TechTarget Editorial's request for comment.

This article was updated on 10/22/2024.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.