Mega, the famous online storage site, is not nearly as secure as it seems

Researchers from the Applied Cryptography Group at ETH Zurich have unveiled proofs of concept that show hackers can steal a user’s private RSA key and then access their data. Mega responded accordingly with an update to its app.

Launched in 2013 by the famous and sulphurous Kim Dotcom, Mega is a cloud storage service. It tries to distinguish itself from the competition, for example Dropbox and Google Drive, by insisting on an important feature: end-to-end encryption. Thus, your files are stored in an encrypted form on Mega’s servers and only you can decrypt them.

Mega comparison
(c) Mega

For this, Mega uses a very complex system of encryption keys that takes the user-defined password as its starting point. This password, which is not stored at Mega, is used to create an authentication key (Authentication Key), to connect, and an encryption key (Encryption Key). The latter is used to generate a primary, or master, key (master key) which will then lead to the creation of four pairs of asymmetric keys.

Mega key generation
(c) ETH Zurich

These keys have the following functions:

  • Ed25519 Signature Key: key to sign other keys
  • RSA Sharing Key: key to share data with other users
  • Curve25519 Chat Key: key for instant messaging
  • Node Keys: keys for each file in the folder uploaded to the server

Private keys and NodeKeys are stored on Mega’s server in encrypted form, using the master key. In short, the system is based on numerous encryption operations, which guarantees data security a priori.

But security researchers from ETH University in Zurich discovered that there were flaws in the system and that it was possible to decrypt files stored on Mega’s servers, or even upload other files without the user is notified.

To do this, they implement five different types of attacks, the most important of which recovers a user’s private RSA key by exploiting the lack of protection for the integrity of the encrypted keys on Mega’s servers. Thus, an invalid encrypted key is still processed by the server instead of being rejected. The operation is possible, either by taking control of Mega’s servers, or by using an attack of the type ” man in the middle (the hacker positions himself between the client and the server). In the video below, the first eight bits of the private RSA key are intercepted to show that the concept works.

However, it takes a minimum of 512 login attempts to achieve its purpose, which takes time since users often stay logged in all the time. The hacker must therefore cause disconnections for the user to start the operation again.

The researchers insist that it is then possible to access all the keys that are stored on Mega’s server in an encrypted form using the master key. A pirate, even Mega, can thus access the user’s files and instant messaging.

The researchers shared their findings with Mega on March 24. The service provider reacted by publishing a article on June 21, indicating that, of the five vulnerabilities, the two concerning the potential decryption of data are now fixed by an update of the applications (desktop and mobile), as well as the web client. Mega has therefore prepared for the most urgent, which is good news for users of the service, without however reviewing the encryption processes from top to bottom so as not to erase the data already stored. Mega wants to avoid asking its customers to change their passwords and upload their files again. Currently, the service has over 250 million users and stores 1,000 petabytes of data.

Source :

Applied Crypto Group ETH Zurich

Leave a Comment