Microsoft can open and scan password-protected Zip archives in the cloud

[Alfonso Maruccia]

In context: Protecting a Zip archive with a password can be a quick, easy way to secure sensitive or potentially dangerous data uploaded to a cloud storage server. However, when the cloud belongs to Microsoft, you cannot count on your files being safe from external tampering.

Microsoft will decrypt, open, and scan protected Zip archives uploaded to the company's cloud servers in search of potential computer threats. Security researcher Andrew Brandt recently discovered the issue while trying to share malware samples with other researchers through SharePoint.

One of the zipped archives Brandt used to move malware files around the cloud got flagged by Microsoft's online service as a security threat. Brandt protected the archive with the password "infected." He said that he shared the malware through a private cloud storage bucket and that now it is useless. The available space for sending colleagues samples is shrinking, Brandt said. He fears the issue will impact the ability of malware researchers to do their job.

Brandt said that Microsoft's policy to scan protected archives for dangerous threats is understandable for average users. However, this "nosy, get-inside-your-business" way of handling things is troublesome for security professionals.

Experts say that Microsoft's ability to scan inside password-protected files isn't related to any brute-force cracking techniques. The company is likely employing a list of commonly used passwords, or it's simply checking users' email messages for information about a password needed to decrypt a shared Zip archive. Redmond also seems to employ its forced scanning techniques on SharePoint and Microsoft 365 cloud accounts.

While Microsoft checks protected files without asking users' permission first, Google manages the issue seemingly less intrusively. The company says it doesn't scan password-protected archives, though Gmail can flag an encrypted attachment, and the Google Workspace service prevents sending protected Zip archives altogether.

ZipCrypto, the symmetric encryption scheme included in standard Zip specifications, is known to be seriously flawed. As the recently rediscovered invasive policy with Zip files highlights, trying to hide sensitive data within an encrypted archive doesn't provide any meaningful protection anymore. In contrast, other archive formats or encryption algorithms like AES-256 should be more robust even against Microsoft's "nosy" scanning attempts in the cloud.

Permalink to story.

https://www.techspot.com/news/98701-microsoft-can-open-scan-password-protected-zip-archives.html

 

[DSirius]

Microsoft and privacy+security, best joke of the day.

 

[sorten]

This is just Brandt and a bunch of forum commenters speculating about how that archive was flagged. Good grief. IF Microsoft detected the malware by unlocking the archive, then I guess the lesson here is to spend 5 seconds on a secure password.

 

[VariableSpike]

I wouldn't trust anyone in the cloud, so the reminder is that if its important or don't want the cloud provider seeing, encrypt it with something strong before you upload it, and if its a file you need to access directly from the cloud, then asses your risks. No surprise from MS if they were opening up archives to snoop, as privacy to then is seemingly a word not in their dictionary

 

[wiyosaya]

Is this really even news? Some security researcher has his file trashed and then has the hubris to say that its understandable for the average user? I guess he just found out that he is an "average user".

Really, dude. Come on! Its the first rule, IMO, that any file, whether encrypted or not, uploaded to the cloud is subject to being scanned for any reason by any and every "cloud provider." Even an average user should be able to understand this, but this guy cannot?

 

[dangh]

Is this really even news? Some security researcher has his file trashed and then has the hubris to say that its understandable for the average user? I guess he just found out that he is an "average user".

Really, dude. Come on! Its the first rule, IMO, that any file, whether encrypted or not, uploaded to the cloud is subject to being scanned for any reason by any and every "cloud provider." Even an average user should be able to understand this, but this guy cannot?

I think you mixing the point. Sure, files should be scanned. But not cracked. What is happening now is ms actively use hacking techniques to extract files from archive and scan them. And who knows for what else. How can then you trust tenant isolation for cloud business use, of ms can simply hack corporation data?

 

[maxxcool7421]

I think you mixing the point. Sure, files should be scanned. But not cracked. What is happening now is ms actively use hacking techniques to extract files from archive and scan them. And who knows for what else. How can then you trust tenant isolation for cloud business use, of ms can simply hack corporation data?

I bet he did not use the encrypt file name option .. or he did not put it 100 zip layers deep. either way ... he made a rookie mistake .. its on him

 

[ScottSoapbox]

Uh, I never viewed a zip file as a secure format.

Sure, against your average person that knows the bare minimum of tech to use it, a password protected anything is enough (e.g. Word doc, PDF), but that isn’t a *secure* file.

 

[ScottSoapbox]

Dropbox anyone?

It’s pretty bad when you are worse than google.

 

[kiwigraeme]

I bet he did not use the encrypt file name option .. or he did not put it 100 zip layers deep. either way ... he made a rookie mistake .. its on him

Weird how if done wrong can see what actual files are - especially if files have unique names and came from the internet - oh well if it catches some pedos all good

 

[mbrowne5061]

This is just Brandt and a bunch of forum commenters speculating about how that archive was flagged. Good grief. IF Microsoft detected the malware by unlocking the archive, then I guess the lesson here is to spend 5 seconds on a secure password.

Imagine being a security researcher and using a password that is vulnerable to a basic dictionary search.

 

[PenguinJoe]

No no one who cares about securely compressing files uses the ZIP format. I use RAR format for that. It has stronger encryption and in the case of Microsoft's cloud I would go one step further and change, or remove the file's extension to confuse the snoopers.

That Microsoft will do this on my private cloud storage tells me that I should never place anything private on One Drive. Ever.

As for passwords... I don't use passwords. I use pass phrases with 3-4 unrelated words. Like blockchain keys they are far more secure than even random character passwords.

tl;dr
Don't use a cloud to store anything private because it is not regardless what the cloud provider says. If you need private cloud storage create your own with a NAS box.

 

[Uncle Al]

Yet another reason to avoid MicroSludge .....

 

[Gars]

Zip? any1 use zip in 2023?
the worst compression with the worst encryption
im with the 'trial' version of the Russian archiver, aka rar
that's not gone change any time soon