In the ten years since its inception, Kim Dotcom’s MEGA cloud storage has gained 250 million registered users. They have stored an incredible 120 billion files here, occupying more than 1,000 petabytes. The key argument that helped this growth is the promise that none of the big competitors make: not even the operator can decrypt the stored data.
For example, you can see an image on the homepage that compares MEGA’s offer to Dropbox and Google Drive. In addition to the fact that MEGA comes at significantly lower prices, the comparison highlights that offers end-to-end encryptionwhile the two competitors did not.
Over the years, the company has repeatedly pointed out this alleged difference. It is probably best summarized in a blog post in which it states: “If you use a strong and unique password, no one will ever have access to your data. Even in the extremely unlikely event that the entire infrastructure is confiscated! ”
This is not entirely true
A study published on Tuesday shows that allegations that an operator or entity in control of the infrastructure does not have access to the stored data is not true. The authors claim that the architecture that MEGA uses to encrypt files is fraught with fundamental bugs in cryptography that allow anyone in control of the platform to attack the entire user key.
As a result, the intruder can decrypt the saved files or even upload incriminating or otherwise malicious files to the account, and this data will be indistinguishable from those actually uploaded. “We have shown that MEGA does not protect users from malicious servers, and we have introduced five different attacks that allow a complete breach of user file confidentiality.” written by experts on the MEGA Awry website.
After receiving information about the identified deficiencies in March, the operator began implementing an update this Tuesday that makes it more difficult to carry out the attacks. However, experts warn that the fix only provides “ad hoc” means to thwart the key recovery attack, but it does not solve the problem of its reuse at allinsufficient integrity checks and other systemic problems they identified.
“This means that if the preconditions for other attacks are met in some other way, they can still be abused.” security experts wrote in an e-mail to Ars Technica magazine, which provides detailed information about the whole case. “That’s why we don’t approve this fix, but the system will no longer be vulnerable to the exact chain of attack we’ve proposed.”
Hammer, hammer, hammer
MEGA is reserved about the discovery of security experts. In an e-mail to the press, Stephen Hall, chairman of the board, only acknowledged that for a short time there was a possibility that the attacker could deny the data security commitment, but only in very limited circumstances and with a very small number of users. According to him, everything was fixed.
The basis of the MEGA encryption scheme is the password that each user chooses. Cross-platform client software uses this password to derive two keys: one to authenticate users on servers and the other to encrypt a randomly generated master key that encrypts other material used to encrypt files, folders, and private chats.
Experts have found that this hierarchy lacks the means to ensure key integrity. As a result, the servers continued to interact instead of rejecting the invalid key. This opens a key recovery attack that can be performed when a user logs in to their account more than 512 times.
Experts have created evidence of an attack concept that hijacks a login session using a secret probe that takes the form of a session ID token. This was adjusted against the token that the client application expected. Although the login fails and requires the user to re-enter the password, it would be trivial for anyone who controls the platform to simply accept the returned ID.
Magic 512 login
Once this the process completes more than 512 times, the attacker obtains the entire RSA private keywhich is used to encrypt all other keys and key material. This can be linked to other exploits that experts have invented that allow for four more attacks.
Stephen Hall, however, counters that “The vulnerabilities identified only negate the warranty if the user has logged in more than 512 times while the theoretical attacker was active.” According to him, it is clear that no malicious process has been started in the MEGA system and he is convinced that very few users would log in more than 512 times at a time when the platform would be under this potential attack.
Mistakes are serious not only because they deny the ten-year security guarantees announced by the service provider, but also because they reveal an architecture that is not as advanced as many users and reviewers thought. Research also highlights a non-trivial problem of how to fully correct bugs.
“The attacks presented here show that it is possible for a motivated attacker to find and exploit vulnerabilities in real cryptographic architectures, which has devastating security implications.” written by experts. “It is particularly worrying that services such as MEGA – which advertise privacy as a core function and therefore attract users in particular who need strong protection – are unable to withstand cryptanalysis.”