Nearly 22 million users of the end-to-end encrypted (E2EE) cloud storage services Sync, pCloud, Icedrive, Seafile, and Tresorit could have their files compromised due to a plethora of vulnerabilities within their E2EE implementations, according to SC Media.
While only metadata tampering and non-authentication key utilization during file sharing were possible with the exploitation of Tesorit flaws, the remaining E2EE services are impacted by more severe security issues, a study from ETH Zurich researchers revealed.
Both pCloud and Sync could be subjected to attacks leveraging unauthenticated keys to facilitate encryption key injections and file compromise. Attackers could also abuse an encryption protocol downgrading flaw in Seafile to enable increased brute-force intrusion risk, while file injections were possible with Icedrive, Seafile, and Sync.
Additional findings showed metadata and directory structure leakage across all E2EE services, with Seafile also exposing certain plaintext details. All of the vendors have already been notified about the security issues, and Sync and Seafile are already in the process of developing fixes.
