Home Suggestions and Feedbacks

No filename encryption in AOMEI Backupper

There's no filename encryption in AOMEI Backupper. You can clearly see all filenames when you open the image file *.adi with a hex editor. Though you still need the password to restore the image, all filenames are still visible. You should close this security vulnerability.

Comments

  • Thanks for your feedback. Yes, you can see the backup image in the windows, but you cannot open the file directly.

  • edited December 2016

    Thanx for you answer, but I already admitted that we can't restore from the *.adi file directly without
    entering the passphrase. You just downplay the problem. Seeing the
    filenames unencrypted is unacceptable for an enrypted backup. You should eradicate this sensible vulnerabilty.

  • Yes, you are right. Thanks for our suggestions. We will take attention to it.

  • edited December 2016

    I consider this a serious issue.

    AOMEI states "The methodology is not simple password protection; the password is used as a key by the industry-standard AES (Advanced Encryption Standard) cryptographic algorithm, which will totally encrypt all data in the image."

    If the full image is encrypted using AES, one has to wonder why the file names are not encrypted. And if the file names are not encrypted, this also leads to the nagging question if AES is properly implemented for the file contents.

    When using encryption for an image, a user expects that nothing of the encrypted image is extractable without the proper passphrase. No contents and no metadata (file names, files sizes, creation/modification dates, etc).

    I suggest AOMEI takes a very thorough look at Backupper's implementation of the encryption.

    While I'm at at, I also suggest using transport encryption, i. e. TLS (https) for AOMEI's website(s) and for all downloads. Anything else is not up to date anymore as it's inherently insecure and susceptible to all kinds of manipulation (see e. g. the defacing of AOMEI's website a couple of months ago).

  • @RiseT  Thanks for your suggestions.We will take attention to it. 

  • Has this issue been resolved? 


    I'm very satisfied with AOMEI Backupper in general, but this security risk is unacceptable for me.

  • It's been a year. Has this been resolved? I also believe this is an important issue. Sometimes whole portions of texts or emails appear clear, without encryption, which is surprising.

    The encryption scheme should be updated so that everything is encrypted, including file names, or even file content! Is there any technical challenge to do this soon?
  • That's the big problem! Aomei takes years to put a simple solution into the product. Either it does not reach the developers or they're slow.
Sign In or Register to comment.