Are password-protected ZIP files really secure?

In general, password-protected .zip files can be considered secure.

Some may be surprised to find out that (without knowing the correct password) any program (or user) can:

  • browse list of files inside password-protected ZIP archive,
  • check file types (try to send encrypted, password-protected ZIP containing EXE file via Gmail).

And… there are some other “interesting” things you should be aware of…

All .zip files can also be “broken” in the meaning, that you can overwrite existing, password-protected file, stored inside archive, with another file, named the same, again without knowing the password.

Changing contents of .zip file without knowing the password means that this kind of archives cannot be considered secure in terms of integrity. An attacker may alter contents to suit its needs without knowing password. From social engineering point of view this is a huge security issue.

All these mentioned operations does not give attacker access to contents (it will not be ble to read the data), only list it or amend it.

You can read more about this topic on following Security Stack Exchange questions:

I’m mentioning this only as a possible side effects, you may be not aware of. Some people treats this as security leaks, stating that for this reasons, ZIP files are unsecured, but other my assume that security is not violated, even with these mentioned “additions”.

Leave a Reply