Cloud Storage Privacy at Risk by the Actual Storage Provider

A recent technical paper put forth by Duane C. Wilson, affiliated with Johns Hopkins University, suggests that a flaw exists in Cloud storage that allows the Cloud Storage Provider to secretly read data shared between colleagues.

Just storing data in a Cloud warehouse is safe enough, but the flaw surfaces when documents are shared between individuals. Even though Cloud providers promote secure storage, they are, in most cases, unaware that the content is available for hacking in a couple key spaces in the timeline of the sharing process due to the flaw.

The way the flaw works is that, during the sharing process, the originator's Encryption key is replaced by the Provider's allowing the Provider to decrypt and view contents of the data.

"In the secure cloud storage providers we examined," Wilson said, "the storage businesses were each operating as their own 'trusted third party,' meaning they could easily issue fake identity credentials to people using the service. The storage businesses could use a phony 'key' to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient."

There have been no reports of this happening, but the paper only serves to highlight that it can occur and that the flaw exists. File-sharing services like Dropbox and Google Drive "make no pledge of privacy," but when user data is uploaded, the encrypted keys that are used are owned by the file-sharing service.

The full technical paper is here: "To Share or Not to Share" in Client-Side Encrypted Clouds