Cybersecurity researchers have came upon critical cryptographic problems in more than a few end-to-end encrypted (E2EE) cloud garage platforms that may be exploited to leak delicate knowledge.
“The vulnerabilities vary in severity: in lots of instances a malicious server can inject information, tamper with report knowledge, or even achieve direct get right of entry to to plaintext,” ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong stated. “Remarkably, a lot of our assaults have an effect on more than one suppliers in the similar manner, revealing commonplace failure patterns in unbiased cryptographic designs.”
The recognized weaknesses are the results of an research of 5 primary suppliers similar to Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised assault ways hinge on a malicious server that is beneath an adversary’s keep watch over, which might then be used to focus on the carrier suppliers’ customers.
A temporary description of the failings exposed within the cloud garage techniques is as follows –
- Sync, through which a malicious server might be used to wreck the confidentiality of uploaded information, in addition to injecting information and tampering with their content material
- pCloud, through which a malicious server might be used to wreck the confidentiality of uploaded information, in addition to injecting information and tampering with their content material
- Seafile, through which a malicious server might be used to speed-up brute-forcing of person passwords, in addition to injecting information and tampering with their content material
- Icedrive, through which a malicious server might be used to wreck the integrity of uploaded information, in addition to injecting information and tampering with their content material
- Tresorit, through which a malicious server might be used to offer non-authentic keys when sharing information and to tamper with some metadata within the garage
Those assaults fall into one of the crucial 10 large categories that violate confidentiality, goal report knowledge and metadata, and make allowance for injection of arbitrary information –
- Loss of authentication of person key subject material (Sync and pCloud)
- Use of unauthenticated public keys (Sync and Tresorit)
- Encryption protocol downgrade (Seafile),
- Hyperlink-sharing pitfalls (Sync)
- Use of unauthenticated encryption modes similar to CBC (Icedrive and Seafile)
- Unauthenticated chunking of information (Seafile and pCloud)
- Tampering with report names and placement (Sync, pCloud, Seafile, and Icedrive)
- Tampering with report metadata (affects all 5 suppliers)
- Injection of folders right into a person’s garage by way of combining the metadata-editing assault and exploiting a quirk within the sharing mechanism (Sync)
- Injection of rogue information right into a person’s garage (pCloud)
“Now not all of our assaults are subtle in nature, which means that that they’re inside succeed in of attackers who don’t seem to be essentially professional in cryptography. Certainly, our assaults are extremely sensible and will also be performed with out important assets,” the researchers stated in an accompanying paper.
“Moreover, whilst a few of these assaults don’t seem to be novel from a cryptographic point of view, they emphasize that E2EE cloud garage as deployed in apply fails at a trivial degree and ceaselessly does now not require extra profound cryptanalysis to wreck.”
Whilst Icedrive has opted to not deal with the recognized problems following accountable disclosure in past due April 2024, Sync, Seafile, and Tresorit have stated the document. The Hacker Information has reached out to each and every of them for additional remark, and we can replace the tale if we pay attention again.
The findings come somewhat over six months after a bunch of lecturers from King’s Faculty London and ETH Zurich detailed 3 distinct assaults towards Nextcloud’s E2EE characteristic that may be abused to wreck confidentiality and integrity promises.
“The vulnerabilities make it trivial for a malicious Nextcloud server to get right of entry to and manipulate customers’ knowledge,” the researchers stated on the time, highlighting the wish to deal with all server movements and server-generated inputs as hostile to handle the issues.
Again in June 2022, ETH Zurich researchers additionally demonstrated various vital safety problems within the MEGA cloud garage carrier that may be leveraged to wreck the confidentiality and integrity of person knowledge.