This top cloud storage firm has some mega security issues
One of the world’s most popular cloud storage (opens in new tab) Service providers were running a number of serious vulnerabilities that allowed threat actors to read even encrypted (opens in new tab) files, the researchers have found.
A team at ETH Zurich discovered five vulnerabilities on the MEGA platform, which revolve around stealing and deciphering RSA keys (a private key based on the RSA algorithm).
The team discovered the flaw in late March this year and reported it to the company. Soon, Mega released patches and mitigations for some of the flaws, while for others, patches are still a work in progress. The patches do not affect the user experience, and do not require users to re-encrypt their stored data, it was said. They also don’t need to change a password, or generate a new key.
Ideal for disgruntled employees
While not having patches available for all flaws is certainly bad news, the good news is that Mega has yet to see anyone exploit them in the wild. There is no concrete timeline on when the remaining patches will be released.
In a video explanation of the flaw, the researchers said that the attack relies on a prime factor being inferred through comparison, and that the attacker would need at least 512 login attempts to breach the endpoint. (opens in new tab), In addition, they would also need access to Mega’s servers, which means vulnerabilities are absolutely not viable – for external threats.
However, for insiders or disgruntled employees, it is an entirely different story.
“Seeing how innocuous cryptographic design shortcuts nearly a decade ago were taken under scrutiny by three of the sector’s brightest minds is both frightening and intellectually fascinating,” Mega said in a statement.
“Despite the wide range of cryptographic flaws identified, the very high extent of exploitation provides a certain sense of relief.”
A detailed analysis of the defects and countermeasures of MEGA can be found here this link (opens in new tab),
Via: Bleeping Computer (opens in new tab)