Johns Hopkins computer scientists have found a flaw in the way that secure cloud storage companies protect their customers’ data, a weakness they say jeopardizes the privacy protection these digital warehouses claim to offer.
Whenever customers share their confidential files with a trusted friend or colleague, researchers say, the storage provider could exploit the security flaw to secretly view private data.
The flaw is detailed in a technical paper posted on arXiv.org, a Cornell site that hosts preprints of scientific papers in select disciplines, including computer science. The lead author is Duane C. Wilson, a doctoral student in the university’s Department of Computer Science in the Whiting School of Engineering. The senior author is his faculty adviser, Giuseppe Ateniese, an associate professor in the department. Both are affiliated with the Johns Hopkins University Information Security Institute.
The team’s research focused on the secure cloud storage providers that are increasingly being used by businesses and others to house or back up sensitive information about intellectual property, finances, employees, and customers. These storage providers claim to offer “zero-knowledge environments,” meaning that their employees cannot see or access the clients’ data. These storage businesses typically assert that this confidentiality is guaranteed because the information is encrypted before it is uploaded for cloud storage.
But the Johns Hopkins team found that complete privacy could not be guaranteed by these vendors.
“Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim,” Wilson said. “However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers’ files and other data.”