Severe cryptographic vulnerabilities have been uncovered in several popular end-to-end encrypted (E2EE) cloud storage platforms used by millions of people.
ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong analyzed five major providers—Sync, pCloud, Icedrive, Seafile and Tresorit— and revealed significant flaws in four of them.
The study, published earlier this month, raises serious concerns about the security claims of these services, particularly in scenarios where a malicious server could compromise user data.
In particular, the research focused on how a compromised server could tamper with, inject or access files stored by users who believe their data is protected by E2EE.
The findings showed that four of the five platforms—Sync, pCloud, Icedrive and Seafile—are vulnerable to several attacks, including the ability to inject files, alter metadata and even access plaintext data. Tresorit was the only provider that was not found to have these vulnerabilities.
Key Vulnerabilities Identified
Key attack vectors identified by the researchers include:
-
File injection, allowing attackers to place files in a user's storage
-
Tampering with filenames and metadata
-
Gaining unauthorized access to decrypted content
-
Link-sharing leakage, where shared files could be exposed
Sync, one of the most widely used services with over two million users, including organizations like the Canadian Red Cross and the University of Toronto, was found to be particularly vulnerable to these attacks, undermining its claims of confidentiality and file integrity.
A Call for Stronger Cryptographic Standards
The study explained that the vulnerabilities result from common cryptographic design flaws, affecting several providers in similar ways.
This points to broader issues in the development of E2EE cloud storage solutions.
"We do not claim that the providers themselves would act maliciously, but rather that, by virtue of the data they store, they are an attractive target for nation-state adversaries and hackers, who would attempt to compromise the server and mount attacks against the users," Hofmann and Tuong Truong warned.
The findings were disclosed to the affected companies earlier this year.
While Seafile has committed to addressing the issues, others, like Sync and pCloud, have yet to respond.
Peter Budai, CTO, Tresorit, provided Infosecurity with the following statement: "The study confirmed that Tresorit's security design is resilient against critical vulnerabilities affecting other providers. Tresorit has the right cryptographic choices to protect the confidentiality of both data and metadata while also safeguarding against tampering but needs to disclose some metadata with its servers for layered security and proper storage quota recording. Upcoming features such as public key fingerprint verification for folder sharing in 2025 aim to further prevent key replacement attacks. As security remains Tresorit’s top priority, we’re committed to leveraging research insights to drive continuous platform improvements and lead the industry toward higher standards."
This article was updates on October 29 with statement from Tresorit