(viaARS Technica)
Embarrassingly, an item published on Tuesdayresearch showsIn fact, the infrastructure entities managed by Mega cannot fully guarantee the security of users’ stored data.
The authors point out that the file encryption mechanism used by Mega is full of low-level cryptographic flaws, making it easy for someone with ulterior motives to perform a full key recovery attack after a user has logged in enough times.
If successful, the attacker can decipher the user’s stored files and even upload other malicious files to the user’s repository – even if it appears to be indistinguishable from the actual uploaded data.
Researchers write – We have demonstrated that Mega’s system is incapable of protecting its users from malicious servers, and propose five different attack vectors, all of which can wreak havoc on the confidentiality of user files.
We build proof-of-concepts of all attacks and demonstrate real-world exploitability. In addition, the integrity of user data is at risk, and attackers can plant malware of their choice at will, bypassing all authenticity checks on the client side.
Even after receiving private reports from researchers in March, an update that Mega began pushing on Tuesday could only be considered a temporary solution to make the attack more difficult to execute.
The researchers cautioned that the patch did not address key reuse, lack of integrity checks, and other systemic issues previously identified. They wrote in an email:
This means that these vulnerabilities can still be exploited if the prerequisites for other attacks are met in some different way.
Because of this, we do not endorse the patch even though the system is no longer affected by the exact attack chain proposed earlier.
RSA Key Recovery Attack(via)
The problem is that Mega’s security hierarchy lacks any means of ensuring key integrity, causing servers not to reject an invalid key but to continue interacting with one, making the platform vulnerable to key recovery attacks .
Using brute force, an attacker could recover the RSA private key after 1023 client logins. But using dichotomy + lattice cryptanalysis reduces the number of attempts required for the attack to 512 – as shown in the mega-awry.io proof-of-concept.
Regrettably, Mega chairman Stephen Hall denies that it has lost the promise it made to users a decade ago. The rationale is that the vulnerability would only allow malicious actors to succeed if an active user logged in more than 512 times, but this is fairly rare.
As for whether the follow-up Mega will refer to the medium and long-term repair plan given by the researchers, it remains to be tested by time.
