Severe cryptographic vulnerabilities have been uncovered in several popular end-to-end encrypted (E2EE) cloud storage platforms used by millions of people.
ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong analyzed five major providers—Sync, pCloud, Icedrive, Seafile and Tresorit— and revealed significant flaws in four of them.
The study, published earlier this month, raises serious concerns about the security claims of these services, particularly in scenarios where a malicious server could compromise user data.
In particular, the research focused on how a compromised server could tamper with, inject or access files stored by users who believe their data is protected by E2EE.
The findings showed that four of the five platforms—Sync, pCloud, Icedrive and Seafile—are vulnerable to several attacks, including the ability to inject files, alter metadata and even access plaintext data. Tresorit was the only provider that was not found to have these vulnerabilities.
Key Vulnerabilities Identified
Key attack vectors identified by the researchers include:
-
File injection, allowing attackers to place files in a user's storage
-
Tampering with filenames and metadata
-
Gaining unauthorized access to decrypted content
-
Link-sharing leakage, where shared files could be exposed
Sync, one of the most widely used services with over two million users, including organizations like the Canadian Red Cross and the University of Toronto, was found to be particularly vulnerable to these attacks, undermining its claims of confidentiality and file integrity.
A Call for Stronger Cryptographic Standards
The study explained that the vulnerabilities result from common cryptographic design flaws, affecting several providers in similar ways.
This points to broader issues in the development of E2EE cloud storage solutions.
"We do not claim that the providers themselves would act maliciously, but rather that, by virtue of the data they store, they are an attractive target for nation-state adversaries and hackers, who would attempt to compromise the server and mount attacks against the users," Hofmann and Tuong Truong warned.
The findings were disclosed to the affected companies earlier this year.
While Seafile has committed to addressing the issues, others, like Sync and pCloud, have yet to respond.