Severe Flaws in Cloud Storage Platforms Affecting 22 Million People

While cloud storage platforms like Google Drive, Dropbox, and OneDrive are household names, these services do not provide End-to-End Encryption, meaning that the provider has access to the data stored on their servers at their discretion. End-to-end encrypted cloud storage platforms emerged to provide customers with the best of both worlds, providing low-cost storage solutions as well as control over who sees their data using cryptographic techniques.

Researchers Jonas Hoffman and Kien Tuong Truong conducted cryptographic analyses of five of the major end-to-end encrypted cloud storage providers which revealed severe cryptographic vulnerabilities many of which affect multiple providers in the same way, revealing common failure patterns.

Important note: Attacks were conducted by the researchers under the assumption of a compromised server.

The researchers disclosed their findings to the vendors in April of this year.

Tresorit was already in pretty good shape compared to the others but still committed to making changes to make their systems more robust.

Seafile and Sync have addressed the issue with Seafile promising to patch the protocol downgrade problem specifically in a future upgrade. Sync has fixed some of the problems already and has reportedly reached out to the research team to share findings and collaborate on the next steps. Sync has also revealed that there is no evidence of these vulnerabilities having been exploited or files compromised.

Icedrive decided not to address the issues and pCloud is yet to respond.

Here are some definitions that might come in handy for understanding the rest of this article.