A look at the (now patched) security of [Kim Dotcom’s] MEGA cloud storage service

mega-cloud-storage-security

MEGA is a new, encrypted cloud storage system founded by [Kim Dotcom] of MegaUpload fame. They’re selling privacy in that the company won’t have the means to decrypt the data stored by users of its service. As with any software project, their developers are rapidly making improvements to the user interface and secure underpinnings. But it’s fun when we get some insight about possible security problems. It sounds like the issue [Marcan] wrote about has been fixed, but we still had a great time reading his post.

The article focuses on the hashes that the website uses to validate data being sucked in from non-SSL sources using some JavaScript. Those insecure sources are a CDN so this type of verification is necessary to make sure that the third-party network hasn’t been compromised as part of an attack on the MEGA site. The particular security issue came when the hashes were generated using CBC-MAC. [Marcan] asserts that this protocol is not adequate for the application it’s being used for and goes on to post a proof-of-concept on how the messages can be forged while retaining a hash that will validate as authentic.

[Thanks Christian]

25 thoughts on “A look at the (now patched) security of [Kim Dotcom’s] MEGA cloud storage service

  1. The simple fact is that if you really care about your data security on some one elses server, you have to encrypt it your self. Also use mutiple layers of encryption with different long pasphrases, long is better than good! You should also encrypt everyting you can, important or not. That way any attacker has to spend time without knowing what they are going to get.

    1. Quite.

      When Mega matures and allows you WebDAV or equivalent functionality, the only thing that will matter is the free 50GB. They could even drop the encryption, unless they need it to paper their arses with.

      The two big questions are whether that is a viable business model, and whether NZ’s small number of international Internet links will be able to cope, assuming the Kiwis can stay away from their beer’n’barbies long enough to notice.

      1. “cover” their arses, I think you meant!

        But yeah. Basically Kim wants to run a giant piracy site, without being held legally liable. Having everything properly encrypted should cover that.

        File sharing’s how he made his money, it’s what he’s good at and all he needs to do.

        File sharing sites are very useful. I just worry that this is setting up a fight between the little-known right of people to use encryption, vs the enormous Hollywood $$$ that inevitably get thrown at these things. Like Sony’s rootkit proved, media barons are not honorable or ethical people, it’s strictly and massively about enormous sums of money.

        Putting that against the public’s rights and interests, will be a difficult fight. The media industry like to steamroller thru cases like this, then salt the earth afterwards, just in case.

        The public don’t really know or care about encryption. And will easily believe it’s just something for hackers and paedophiles. Especially if the media tell them that.

        I worry the laws about all this kind of stuff are being made too quickly and without enough insight. All of these laws will become a hundred times more important in years to come. Governments are allowed to change their minds on mistakes. They just tend not to ever do it.

  2. I tried to set up an account using my @Outlook Email. It wont accept it it I never get the validation email, works for Gmail just fine go figure??

    1. Options > More Options > Safe and blocked senders > Safe Senders

      Add hostmaster[at]mega[dot]co[dot]nz to the list.

      Try setting up an account again, now you’ll receive the validation email instantly. I almost went nuts for two days because of that, after having set up an account with a gmail address in less than 5 minutes.

  3. Incredible. I *just* narrowly grasped his explanation, but understood enough to realize the flaw. I hope Marcan gets some job offers after this post! Or a raise!

  4. This is only funny if you know where they got the developers from…

    Using a insecure padding generator is just idiotic and boring…

    1. By the way it’s funny kim dot com is considered a hacker because he contracted developers years back to do BHSEO and spyware..

          1. You’re making Dotcom sound like an over-celebrated script kiddie while he clearly a brilliant/slightly devious person. Give the guy some credit.

          2. FYI: He was rich before he started doing marketing around file hosting and none of it was based around programming or electronics, except sales in some cases…

            One of his old partners was a weapons dealer for the Russian mafia… still is actually

    1. I like how obvious it is that file host business models are based around piracy, and the only thing governments can enforce is cease and assist…. imagine if there were complex problems…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s