Security Experts:

Top Cryptographers Flag 'Devastating' Flaws in MEGA Cloud Storage

Cryptographers at Swiss university ETH Zurich have found at least five exploitable security flaws in the privacy-themed MEGA cloud storage service and warned that the issues could lead to “devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.”

The ETH Zurich team documented the security defects in a research paper [pdf] that warns that MEGA has not issued a comprehensive fix for all the reported vulnerabilities.

“We show that MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files,” the cryptographers warned. 

“Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability.”

[ READ: ETH Zurich Research: Simulated Phishing Tests Make Orgs Less Secure ]

MEGA, based in New Zealand, markets itself as a secure cloud storage service with “privacy by design” that aims to achieve user-controlled end-to-end encryption. 

“When a system has grown popular enough to attract the attention of independent researchers, skilled adversaries may have already compromised the system. Mitigating attacks cannot undo the consequences of such compromises,” the researchers said.

MEGA released its own advisory acknowledging the ETH Zurich findings and released patches to mitigate the vulnerabilities but the company claims the issues are very complex and difficult to exploit.

“An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA,” said Mathias Ortmann, chief architect at MEGA.

[ READ: Critical Vulnerability Exposed Azure Cosmos DBs for Months ]

The company confirmed the five vulnerabilities in MEGA’s cryptographic architecture that would allow an attacker who is in control of MEGA’s API back-end or who is able to mount a TLS man-in-the-middle attack to undermine certain cryptographic assurances expected by MEGA users. 

“The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA’s API servers or TLS connections without being noticed,” the company said.

Here's the description of the five documented attacks:

RSA Key Recovery Attack -  The researchers discovered a practical attack to recover a user’s RSA private key by exploiting the lack of integrity protection of the encrypted keys stored for users on MEGA’s servers. An entity controlling MEGA’s core infrastructure can tamper with the encrypted RSA private key and deceive the client into leaking information about one of the prime factors of the RSA modulus during the session ID exchange. 

Plaintext Recovery - A plaintext recovery attack lets the adversary compute the plaintext from a given ciphertext. In this specific attack, MEGA can decrypt AES-ECB ciphertexts created with a user’s master key. This gives the attacker access to the aforementioned and highly sensitive key material encrypted in this way. With the sharing, chat, signing, and node keys of a user, the adversary can decrypt the victim’s data or impersonate them.

Framing Attack - This attack allows MEGA to forge data in the name of the victim and place it in the target’s cloud storage. While the previous attacks already allow an adversary to modify existing files using the compromised keys, this attack allows the adversary to preserve existing files or add more documents than the user currently stores.  A conceivable attack might frame someone as a whistle-blower and place an extensive collection of internal documents in the victim’s cloud storage. Such an attack might gain credibility when it preserves the user’s original cloud content.

Integrity Attack – This attack exploits the peculiar structure of MEGA’s obfuscated key objects to manipulate an encrypted node key such that the decrypted key consists of all zero bytes. Since the attacker now knows the key, this key manipulation can be used to forge a file in a manner similar to the framing attack. Unlike for the framing attack (which requires the ability to decrypt arbitrary AES-ECB ciphertexts), for this attack the adversary only needs access to a single plaintext block and the corresponding ciphertext encrypted with AES-ECB under the master key.

GaP-Bleichenbacher Attack – MEGA can decrypt RSA ciphertexts using an expensive padding oracle attack.

The ETH Zurich team said MEGA’s introduction of additional client-side checks on the format of RSA private keys protects against the RSA key recovery attack but noted that the fix “significantly differs from our proposed countermeasures.”

Related: ETH Zurich Research: Simulated Phishing Tests Make Orgs Less Secure

Related: New Attacks Allow Bypassing EMV Card PIN Verification

Related: Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases

Related: Microsoft Confirms 'NotLegit' Azure Flaw Exposed Source Code

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.