Recent research from ETH Zurich has uncovered significant vulnerabilities in several end-to-end encrypted cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit, raising ongoing security concerns in the industry.

These five services collectively serve over 22 million users, making the implications of these vulnerabilities particularly concerning.

The vulnerabilities identified include unauthenticated key material in Sync and pCloud, which could allow attackers to substitute encryption keys, and unauthenticated encryption modes in Icedrive and Seafile, enabling potential tampering with ciphertext.

If a cloud server is compromised, attackers could access, tamper with, or inject files, with specific flaws allowing for direct file injection in pCloud and Sync, and metadata tampering across all services.

Seafile's vulnerabilities include the ability to downgrade encryption protocols, facilitating password brute-forcing, and the lack of authentication that permits file tampering.

Icedrive's issues could undermine file integrity and allow for the injection of malicious content, while Tresorit could present fake keys during file sharing.

These findings follow previous research that highlighted similar vulnerabilities in other platforms like Nextcloud and MEGA, indicating a broader issue within the E2EE cloud service market.

The researchers emphasize the need for improved security measures and the establishment of standard protocols for secure end-to-end encryption storage.

In response to the findings, Sync has committed to swiftly resolving the vulnerabilities, while Tresorit expressed confidence in its design but acknowledged areas for improvement.

Despite the acknowledgment from some providers, Icedrive has not addressed the identified vulnerabilities, and Seafile has promised to fix its protocol downgrade issue in a future update.

The researchers disclosed their findings to the affected companies in April and September 2024, with varying responses; however, Icedrive and pCloud did not respond to requests for comments.

The researchers noted that many of these attacks are not sophisticated and can be executed by attackers with minimal cryptographic skills, highlighting the urgent need for enhanced security protocols.