When approached for comment, MEGA pointed us toward a security advisory which says the first fix has been rolled out and additional patches are being developed.Īccording to MEGA, only customers that have logged into their account at least 512 times could be at risk – and this does not include resuming existing sessions.įurthermore, the organization says that to take advantage of the cryptographic flaws, attackers would need to “gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA”.
While MEGA apparently “decided to react in ways that are different than what we suggested,” according to the researcher, the initial attack vector on the RSA key has now been patched. Paterson said the team reported its findings to MEGA on March 24 and proposed ways to resolve the security holes. Potential post-attack vectors could include stealing user data or even uploading files – such as illegal or compromising images and video – locking up the account, and then blackmailing the targeted individual. It then may be possible to compromise other keys used on the MEGA platform. “This shortens the time needed to fully reveal the key to just a few minutes.”
#Megasync password software#
“An additional manipulation of the MEGA software program on the computer of the victim can force their user account to constantly log in automatically,” the researchers said. This permits integrity attacks, RSA key and plaintext recovery attacks, and establishes an RSA decryption attack vector.Ĭatch up on the latest cloud security-related newsīy hijacking only a session ID, it takes a maximum of 512 login attempts to break into a MEGA account. This key is then used to encrypt other key material, files, and more.Ī lack of integrity protection of ciphertexts containing keys breaks the confidentiality of the master key and overall encryption system, according to the researchers. Encryption crackedĪfter recreating part of the MEGA platform and attempting to brute-force their own accounts, the team says they found that using one main key represents a “fundamental” weakness in the service.Ī paper (PDF) describing the flaw says that the MEGA client derives an authentication key from a user’s password.
#Megasync password code#
However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary.ĮTH Zurich cryptography researchers Matilda Backendal, Miro Haller, and Professor Kenneth Paterson analyzed MEGA’s source code and cryptographic architecture, uncovering a total of five vulnerabilities.
#Megasync password password#
“MEGA does not have access to your password or your data.” “All your data on MEGA is encrypted with a key derived from your password in other words, your password is your main encryption key,” the organization says. The company calls itself a “zero-knowledge” encryption service built with “privacy by design”. MEGA also allows users to make audio and video calls. MEGA claims that its storage service is private by design, but according to researchers, the technology is beset with “serious” security issues.īased in New Zealand, MEGA is a cloud storage service and messaging platform that offers end-to-end encryption to more than 250 million users.
ETH Zurich finds flaws in the firm’s cryptographic infrastructure
0 kommentar(er)
