Skip to content

5 cloud storage platforms exposed to crytographic flaws

  • by
  • 3 min read

Several major end-to-end encrypted (E2EE) cloud storage providers, including Sync, pCloud, Icedrive, Seafile, and Tresorit, have been exposed to significant cryptographic vulnerabilities, raising concerns about their overall security.

Popular services like Google Drive and Dropbox, while convenient, do not provide E2EE, leaving data vulnerable to service providers’ access. In contrast, E2EE platforms assure users that only they hold the keys to their data, using sophisticated cryptographic techniques to secure information from prying eyes—even the storage provider itself.

Researchers found strikingly similar vulnerabilities across multiple cloud storage providers, suggesting a pattern of common failure points in cryptographic design. The issues range from server-based attacks that allow file tampering and injection to weaknesses that expose the plaintext of sensitive documents.

The analysis was conducted under the assumption of a malicious server, a worst-case scenario that spotlights the weakest links in the cryptographic chain.

“The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext. Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs,” researchers said.

Sync is a Canadian cloud storage provider with over 2 million users. Despite its reputation, the study reveals that a malicious server could break the confidentiality of uploaded files and manipulate their content. Sync uses PBKDF2-SHA256 for key derivation and AES-GCM for symmetric encryption, but these implementations fall short in preventing tampering.

pCloud, which serves 20 million users, also fell victim to cryptographic attacks. The study shows that pCloud’s systems are vulnerable to file tampering and confidentiality breaches. Its cryptographic setup includes PBKDF2-SHA512 for key derivation and AES-CTR, but these protections proved insufficient in the face of sophisticated attacks.

Seafile is an open-source platform used by institutions like Humboldt University and security firms like Kaspersky. Researchers found Seafile vulnerable to password brute-forcing attacks. This could potentially allow malicious actors to gain unauthorised access to user data. Seafile uses a mix of AES-CBC and AES-ECB encryption schemes alongside PBKDF2-SHA256, but these are not enough to protect users from server-based file injection and tampering attacks.

UK-based Icedrive’s cryptographic framework failed to safeguard file integrity from server-side manipulation. The report highlighted issues with its use of the TwoFish-CBC encryption algorithm, suggesting that it may not be robust enough for a truly secure E2EE solution.

Another Swiss-based provider, Tresorit, offers some of the more sophisticated encryption technologies of the five providers studied. However, the resort found that Tresorit is still vulnerable to certain attacks, including the presentation of non-authentic keys during file sharing and metadata tampering. Tresorit employs scrypt and PBKDF2 for key derivation and AES-GCM for symmetric encryption, but these measures did not prevent certain types of server-based exploits.

Researchers disclosed the vulnerabilities in April 2024, and barring Icedrive, the other four cloud providers have acknowledged the flaws. “We want to assure our user that there is no real danger of the zero-danger encrypted data stored on our servers — it cannot be decrypted without knowing the passphrase,” Icedrive told The Hacker News. “If someone gains full control over a file server (which is not an easy task) and tampers with a user’s files, our apps will detect this using the file integrity checks we have and will not decrypt files, issuing an error warning.”

In the News: Russians targeted Georgian government and infra for three years

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>