A team from ETH Zurich discovered five vulnerabilities on the Mega platform that revolve around stealing and deciphering an RSA key (a private key based on RSA algorithm).
The team discovered the flaws in late March this year, and reported it to the company. Soon enough, Mega released patches and mitigations for some of the flaws, while for others, the patches are still a work in progress. The patches do not affect user experience, and don’t require users to encrypt their stored data all over again, it was said. They also don’t need to change any passwords, or create any new keys.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Ideal for disgruntled employees
While patches not being available for all flaws is certainly bad news, good news is that Mega hasn’t seen anyone exploit them in the wild, just yet. There’s no concrete timeline on when the remaining patches will be released.
In a video explanation of the flaw, the researchers said the attack relies on prime factor guessing through comparison, and that the attacker would need at least 512 login attempts to breach an endpoint. What’s more, they would also need to have access to Mega’s servers, which means for outsider threats - the vulnerabilities are not exactly viable.
For insiders or disgruntled employees, however, it’s a whole different story.
"Seeing how seemingly innocuous cryptographic design shortcuts taken almost a decade ago backfire under scrutiny by three of the sector's brightest minds is both frightening and intellectually fascinating," Mega said in a statement.
"The very high threshold of exploitability, despite the broad range of identified cryptographic flaws, provides a certain sense of relief."
A detailed breakdown of the flaw and MEGA’s countermeasures can be found on this link.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.