Researchers found flaws in MEGA that allowed to decrypt of user data

Researchers at ETH Zurich discovered several critical flaws in the MEGA cloud storage service that could have allowed the decryption of user data

MEGA has addressed multiple vulnerabilities in its cloud storage service that could have allowed threat actors to decrypt user data stored in encrypted form.

Data on Mega services is end-to-end encrypted client-side using the AES algorithm, this means that the company does not know the encryption keys to uploaded files and cannot view the content. For this reason, the company claims that is not responsible for the contents of uploaded files.

The service has over 250 million registered users for a total of 120 billion files amounting to 1000 petabytes in size.

“Researchers at the Department of Computer Science of the ETH Zurich in Zurich, Switzerland reviewed the security of MEGA and found significant issues in how it uses cryptography.” reported Malwarebytes. “These findings could lead to devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.”

Researchers at ETH Zurich, in Switzerland reported the flaws to MEGA on March 24, 2022.

“Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client,” reads the paper published by ETH Zurich’s researchers.

MEGA accounts have a set of asymmetric RSA keys, an RSA key pair for sharing data, a Curve25519 key pair for exchanging chat keys for MEGA’s chat functionality, and an Ed25519 key pair for signing the other keys. The experts pointed out that the client generates a new key for every file or folder uploaded by the user. The weakness resides in the fact that all the keys are derived in one way or another from the password. The researchers also highlighted that all the keys get stored on MEGA’s servers to support access from multiple devices.

The researchers devised five attacks that rely on stealing and deciphering an RSA key.

One of the attacks, the RSA Key Recovery Attack, allows threat actors to control MEGA API infrastructure to recover a user’s RSA private key by tampering with 512 login attempts and decrypt the stored content.

The other attacks devised by the experts are:

• Plaintext Recovery Attack, which allows MEGA to decrypt key material, including node keys, and use them to decrypt all user communication and files.
• Framing Attack, which allows MEGA to insert arbitrary files into the user’s file storage that are indistinguishable from genuinely uploaded ones.
• Integrity Attack, it is similar to the Framing Attack, but it is more stealth.
• Guess-and-Purge (GaP) Bleichenbacher attack, which allows to decrypt RSA ciphertexts.

The good news is that the company is not aware of any compromised user accounts or data by exploiting one of the flaws discovered by the researchers.

MEGA has addressed two vulnerabilities that can be exploited by attackers to decrypt user data, mitigated the third one (framing), and will fix the remaining two in upcoming updates.

“The whitepaper published today represents the gold standard in cryptographic research, and we are extremely grateful for the privilege of having been chosen as a target. Seeing how seemingly innocuous cryptographic design shortcuts taken almost a decade ago backfire under scrutiny by three of the sector’s brightest minds is both frightening and intellectually fascinating. The very high threshold of exploitability, despite the broad range of identified cryptographic flaws, provides a certain sense of relief.” states MEGA

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MEGA attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]