Home / News

Security Shortfalls Exposed in End-to-End Encrypted Cloud Storage Providers

A recent study critically examines the security of popular end-to-end encrypted (E2EE) cloud storage providers, uncovering significant vulnerabilities in platforms widely marketed for their user-controlled privacy features.

The analysis, conducted by researchers from ETH Zurich, focused on five major providers—Sync, pCloud, Icedrive, Seafile, and Tresorit—serving over 22 million users globally. The findings indicate that, despite claims of secure encryption, most providers have fundamental design flaws that expose users to various risks, from data tampering to unauthorized access by malicious servers.

Data security flaws: E2EE storage is designed to safeguard user data from potential breaches, even if the server hosting the files is compromised. However, researchers found that four out of the five providers evaluated failed to uphold adequate security standards against such threats. They identified a series of vulnerabilities, including unauthenticated key management, weak encryption protocols, and metadata manipulation risks. These gaps allow attackers to inject files, tamper with file integrity, and, in some cases, even gain access to the content of stored files.

SKey authentication concerns: ync and pCloud, for instance, lack proper authentication for user key materials, which can lead to key-replacement attacks. This vulnerability enables an adversary to control encryption keys, thereby decrypting data without user consent. Other providers like Seafile are prone to downgrade attacks, which weaken encryption by reverting to older, less secure protocols. Furthermore, these systems often fail to protect file metadata adequately, making it possible for attackers to manipulate file locations or alter metadata like file names and modification dates.

Flawed cryptographic practices: The authors highlight that these issues arise from a common set of flawed cryptographic practices within the E2EE cloud storage ecosystem. They suggest that solutions, including standardized protocols and stronger cryptographic authentication, are necessary to establish genuine security for users. Although some providers have acknowledged the findings and promised improvements, the report calls for immediate attention to these weaknesses.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global