The researchers conducted a cryptographic analysis based on a threat model involving an attacker controlling a malicious server, a plausible scenario for sophisticated hackers and nation-state actors.

These services collectively serve over 22 million users and exhibit flaws that could allow malicious actors to access user data or manipulate files.

The analysis revealed ten broad classes of vulnerabilities, such as lack of authentication of user key material and the use of unauthenticated encryption modes.

pCloud's vulnerabilities stem from unauthenticated keys that enable attackers to overwrite private keys and manipulate file metadata.

For Icedrive, attackers could undermine file integrity and inject malicious content, while Tresorit could present fake keys for file sharing.

Icedrive's use of unauthenticated CBC encryption makes it susceptible to file tampering, allowing attackers to alter file names and manipulate chunks.

Despite the findings, Icedrive has not addressed the identified vulnerabilities, whereas Sync, Seafile, and Tresorit have acknowledged the report and are taking steps to improve security.

The researchers informed the affected companies of their findings on April 23, 2024, with Tresorit notified later on September 27, 2024.

Recent research from ETH Zurich has uncovered significant vulnerabilities in several end-to-end encrypted cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit.

Common weaknesses allow a malicious server to inject files, tamper with file data, and gain direct access to plaintext in these cloud services.

Specific flaws include compromised confidentiality and integrity, with Sync and pCloud being able to break confidentiality and inject files, while Seafile is vulnerable to password brute-forcing and file tampering.

Sync's vulnerabilities include unauthenticated key material, allowing attackers to inject encryption keys, rename files, and compromise user data's confidentiality.