No filename encryption in AOMEI Backupper
There's no filename encryption in AOMEI Backupper. You can clearly see all filenames when you open the image file *.adi with a hex editor. Though you still need the password to restore the image, all filenames are still visible. You should close this security vulnerability.
Comments
Thanks for your feedback. Yes, you can see the backup image in the windows, but you cannot open the file directly.
Thanx for you answer, but I already admitted that we can't restore from the *.adi file directly without
entering the passphrase. You just downplay the problem. Seeing the
filenames unencrypted is unacceptable for an enrypted backup. You should eradicate this sensible vulnerabilty.
Yes, you are right. Thanks for our suggestions. We will take attention to it.
I consider this a serious issue.
AOMEI states "The methodology is not simple password protection; the password is used as a key by the industry-standard AES (Advanced Encryption Standard) cryptographic algorithm, which will totally encrypt all data in the image."
If the full image is encrypted using AES, one has to wonder why the file names are not encrypted. And if the file names are not encrypted, this also leads to the nagging question if AES is properly implemented for the file contents.
When using encryption for an image, a user expects that nothing of the encrypted image is extractable without the proper passphrase. No contents and no metadata (file names, files sizes, creation/modification dates, etc).
I suggest AOMEI takes a very thorough look at Backupper's implementation of the encryption.
While I'm at at, I also suggest using transport encryption, i. e. TLS (https) for AOMEI's website(s) and for all downloads. Anything else is not up to date anymore as it's inherently insecure and susceptible to all kinds of manipulation (see e. g. the defacing of AOMEI's website a couple of months ago).
@RiseT Thanks for your suggestions.We will take attention to it.
Has this issue been resolved?
I'm very satisfied with AOMEI Backupper in general, but this security risk is unacceptable for me.
The encryption scheme should be updated so that everything is encrypted, including file names, or even file content! Is there any technical challenge to do this soon?