Researchers discover ways to break the encryption of ‘MEGA’ cloud storage service


A new study from academics at ETH Zurich has identified a number of critical security vulnerabilities in the MEGA cloud storage service that could be used to breach the confidentiality and integrity of user data.

In a newspaper titled “MEGA: malleable encryption goes wrongThe researchers point out that MEGA’s system does not protect its users from a malicious server, allowing a rogue actor to completely compromise the privacy of the uploaded files.

“In addition, the integrity of user data is damaged in such a way that an attacker can insert malicious files of their choice that pass all authentication checks of the client,” Matilda Backendal, Miro Haller and Kenneth G. Paterson of ETH Zurich said in an analysis. of the cryptographic architecture of the service.

MEGA, that advertises Calling itself the “privacy company” and claiming to provide user-controlled end-to-end encrypted cloud storage, it has over 10 million daily active users, with over 122 billion files uploaded to the platform to date.

Chief among the weaknesses is a RSA Key Recovery Attack that allows MEGA (acting maliciously itself) or a resourceful nation state in control of its API infrastructure to recover a user’s RSA private key by tampering with 512 login attempts and decrypting the stored content.

“Once a targeted account made enough successful logins, incoming shared folders, MEGAdrop files, and chats could be decryptable,” said Mathias Ortmann, MEGA’s lead architect, said following the findings. “Files in the cloud drive can be decrypted sequentially during subsequent logins.”

The recovered RSA key can then be expanded to make way for four other attacks:

Plaintext Recovery Attack, which allows MEGA to decrypt node keys – an encryption key associated with each uploaded file and encrypted with a user’s master key – and use them to decrypt all user communications and files. Framing Attack, where MEGA can insert arbitrary files into the user’s file storage that are indistinguishable from actually uploaded files. Integrity Attack, a less stealthy variant of the Framing Attack that can be exploited to forge a file in the victim’s name and place it in the target’s cloud storage, and

“Each user has a public RSA key that is used by other users or MEGA to encrypt data for the owner, and a private key that is used by the user themselves to decrypt the data shared with them,” the researchers explained. “With this [GaP Bleichenbacher attack]MEGA can decrypt these RSA ciphers, although this requires an impractical number of login attempts.”

In a nutshell, the attacks can be armed by MEGA or an entity that manages its core infrastructure to upload similar files and decrypt all files and folders owned or shared with the victim, as well as the chat messages exchanged.

The flaws are serious as they undermine MEGA’s alleged security guarantees, prompting the company to release updates to address the first three of the five issues. The fourth integrity violation vulnerability is expected to be addressed in an upcoming release.

As for the Bleichenbacher-esque attack on MEGA’s RSA encryption mechanism, the company noted that the attack “is difficult to execute in practice, as it takes an average of about 122,000 customer interactions” and that it would remove the old code from all of its customers. remove.

MEGA further emphasized that it is not aware of any user accounts that may have been compromised by the aforementioned attack methods.

“For the vulnerabilities reported, MEGA would have to become a bad player against some of its users, or otherwise only be exploited if another party has undetected compromised MEGA’s API servers or TLS connections,” Ortmann noted.

“The Attacks” […] arise from unexpected interactions between apparently independent components of MEGA’s cryptographic architecture,” the researchers explained. “They indicate the difficulty of maintaining large-scale systems using cryptography, especially when the system has an evolving set of functions and on multiple platforms are deployed. †

“The attacks presented here show that it is possible for a motivated party to find and exploit vulnerabilities in cryptographic architectures in the real world, with devastating results for security. It is conceivable that systems in this category will attract adversaries who are willing investing significant resources to compromise the service itself, increasing the likelihood of high-complexity attacks.”