Some cloud storage providers that offer end-to-end encryption (E2EE) are largely exploiting a broken ecosystem that, in a very realistic theory, could allow threat actors to tamper with the files in ways that shouldn’t be possible , experts claim.
In an in-depth analysis recently published on the website Brokencloudstorage.info, cybersecurity researchers Jonas Hofmann and Kien Tuong Truong of the ETF Zurich noted that if a threat actor compromises a corporate server, they can “inject files, tamper with file data and even directly access plaintext.”
During their research, the two experts analyzed five major providers in the field – Sync, pCloud, Icedrive, Seafile and Tresorit, and concluded: “Many of our attacks affect multiple providers in the same way, revealing common error patterns in independent cryptographic designs . “
Objectives of nation states
On Sync and pCloud, a compromised server can be exploited to break the confidentiality of uploaded files, inject files and tamper with their contents, while for Seafile such a server can be used to accelerate brute-force attacks, steal files injecting and tampering with the contents.
For Icedrive, hackers could use a compromised server to break the integrity of uploaded files, inject files and tamper with their contents, while for Tresorid a broken server could be used to present inauthentic keys when sharing files . Scammers could also tamper with certain metadata in the storage.
The researchers emphasize that this does not mean that the service providers are malicious, but that these flaws make them a prime target for threat actors. More importantly, national threat actors. They also added that compromising a server of an E2EE cloud storage provider is not as far-fetched as it may seem at first glance.
They even claim that this is the “most realistic” adversary model for E2EE cloud storage.
The majority of service providers mentioned in the report – Sync, Seafile and Tresorit – are said to have acknowledged the report. Icedrive has yet to address the issue, while there are no reports for pCloud yet.
Via The hacker news