One of the world’s most popular cloud storage (opens in new tab) service providers was carrying several severe vulnerabilities that allowed threat actors to read even encrypted (opens in new tab) files, researchers have found.
A team from ETH Zurich discovered five vulnerabilities on the Mega platform that revolve around stealing and deciphering an RSA key (a private key based on RSA algorithm).
The team discovered the flaws in late March this year, and reported it to the company. Soon enough, Mega released patches and mitigations for some of the flaws, while for others, the patches are still a work in progress. The patches do not affect user experience, and don’t require users to encrypt their stored data all over again, it was said. They also don’t need to change any passwords, or create any new keys.
Ideal for disgruntled employees
While patches not being available for all flaws is certainly bad news, good news is that Mega hasn’t seen anyone exploit them in the wild, just yet. There’s no concrete timeline on when the remaining patches will be released.
In a video explanation of the flaw, the researchers said the attack relies on prime factor guessing through comparison, and that the attacker would need at least 512 login attempts to breach an endpoint (opens in new tab). What’s more, they would also need to have access to Mega’s servers, which means for outsider threats – the vulnerabilities are not exactly viable.
For insiders or disgruntled employees, however, it’s a whole different story.
“Seeing how seemingly innocuous cryptographic design shortcuts taken almost a decade ago backfire under scrutiny by three of the sector’s brightest minds is both frightening and intellectually fascinating,” Mega said in a statement.
“The very high threshold of exploitability, despite the broad range of identified cryptographic flaws, provides a certain sense of relief.”
A detailed breakdown of the flaw and MEGA’s countermeasures can be found on this link (opens in new tab).