Sunday, September 8, 2024
HomeCVE/vulnerabilityCritical Flaws in MEGA Cloud Storage Let Attacker Decrypt User Data

Critical Flaws in MEGA Cloud Storage Let Attacker Decrypt User Data

Published on

The experts at one of Europe’s leading universities, ETH Zurich, Switzerland reported a critical vulnerability in MEGA cloud storage that allows the attacker to decrypt the user data.

MEGA is a cloud storage and file hosting service offered by MEGA Limited, a company based in Auckland, New Zealand. The service is offered through web-based apps. MEGA mobile apps are also available for Android and iOS.  The company is known for the largest fully featured free cloud storage in the world with 20 GB storage allocation for free accounts.

MEGA has released software updates that fix a critical vulnerability that exposes user data.

- Advertisement - EHA

How the Attack is carried out?

The researchers say an attacker would have gained control over the heart of MEGA’s server infrastructure or achieved a successful man-in-the-middle attack on the user’s TLS connection to MEGA.

When a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files, and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. In addition, files could have been placed in the account that appears to have been uploaded by the account holder (a “framing” attack).

A team of researchers from the Applied Cryptography Group at the Department of Computer Science, ETH Zurich, reported a total of five vulnerabilities in MEGA’s cryptographic architecture.

Five Attacks Identified by the Researchers

The Identified Vulnerabilities

  • Incrementally accumulate some information every time a MEGA user logs in.
  • After a minimum of 512 such logins, the collected information enabled the attacker to decrypt parts of the account and also leverage further logins to successively decrypt the remainder of it.
  • Privacy and integrity of all stored data and chats are being destroyed.
  • Insert arbitrary files into a user’s account.
  • The issue is in the legacy chat key exchange mechanism.

Researchers noted that even if a provider’s API servers become controlled by an adversary, the encrypted user data should never be readable by the attacker – not even after 512 logins.

Furthermore, the folder links are not integrity-protected and carry the required meta AES key, and the mechanics underpinning the MEGAdrop feature could be leveraged.

Updates Available

Users are recommended to upgrade the client software on all devices and then convert their account to a new, backward-incompatible, format.

“We urge all users who are logging in frequently to upgrade their MEGA app as soon as possible. We also invite vendors of third-party client software to upgrade to the latest MEGA SDK, and those who maintain their own MEGA API client implementation, to add an equivalent fix.”, according to the security update released by MEGA.

MEGA has fixed the two vulnerabilities that can lead to user data decryption on all clients – RSA key recovery and plaintext recovery, mitigated the third one – framing, and in the future, the company will address the remaining two issues.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...