Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Top Cryptographers Flag ‘Devastating’ Flaws in MEGA Cloud Storage

Cryptographers at Swiss university ETH Zurich have found at least five exploitable security flaws in the privacy-themed MEGA cloud storage service and warned that the issues could lead to “devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.”

Cryptographers at Swiss university ETH Zurich have found at least five exploitable security flaws in the privacy-themed MEGA cloud storage service and warned that the issues could lead to “devastating attacks on the confidentiality and integrity of user data in the MEGA cloud.”

The ETH Zurich team documented the security defects in a research paper [pdf] that warns that MEGA has not issued a comprehensive fix for all the reported vulnerabilities.

“We show that MEGA’s system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files,” the cryptographers warned. 

“Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability.”

[ READ: ETH Zurich Research: Simulated Phishing Tests Make Orgs Less Secure ]

MEGA, based in New Zealand, markets itself as a secure cloud storage service with “privacy by design” that aims to achieve user-controlled end-to-end encryption. 

“When a system has grown popular enough to attract the attention of independent researchers, skilled adversaries may have already compromised the system. Mitigating attacks cannot undo the consequences of such compromises,” the researchers said.

MEGA released its own advisory acknowledging the ETH Zurich findings and released patches to mitigate the vulnerabilities but the company claims the issues are very complex and difficult to exploit.

“An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA,” said Mathias Ortmann, chief architect at MEGA.

[ READ: Critical Vulnerability Exposed Azure Cosmos DBs for Months ]

The company confirmed the five vulnerabilities in MEGA’s cryptographic architecture that would allow an attacker who is in control of MEGA’s API back-end or who is able to mount a TLS man-in-the-middle attack to undermine certain cryptographic assurances expected by MEGA users. 

“The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA’s API servers or TLS connections without being noticed,” the company said.

Here’s the description of the five documented attacks:

RSA Key Recovery Attack –  The researchers discovered a practical attack to recover a user’s RSA private key by exploiting the lack of integrity protection of the encrypted keys stored for users on MEGA’s servers. An entity controlling MEGA’s core infrastructure can tamper with the encrypted RSA private key and deceive the client into leaking information about one of the prime factors of the RSA modulus during the session ID exchange. 

Plaintext Recovery – A plaintext recovery attack lets the adversary compute the plaintext from a given ciphertext. In this specific attack, MEGA can decrypt AES-ECB ciphertexts created with a user’s master key. This gives the attacker access to the aforementioned and highly sensitive key material encrypted in this way. With the sharing, chat, signing, and node keys of a user, the adversary can decrypt the victim’s data or impersonate them.

Framing Attack – This attack allows MEGA to forge data in the name of the victim and place it in the target’s cloud storage. While the previous attacks already allow an adversary to modify existing files using the compromised keys, this attack allows the adversary to preserve existing files or add more documents than the user currently stores.  A conceivable attack might frame someone as a whistle-blower and place an extensive collection of internal documents in the victim’s cloud storage. Such an attack might gain credibility when it preserves the user’s original cloud content.

Integrity Attack – This attack exploits the peculiar structure of MEGA’s obfuscated key objects to manipulate an encrypted node key such that the decrypted key consists of all zero bytes. Since the attacker now knows the key, this key manipulation can be used to forge a file in a manner similar to the framing attack. Unlike for the framing attack (which requires the ability to decrypt arbitrary AES-ECB ciphertexts), for this attack the adversary only needs access to a single plaintext block and the corresponding ciphertext encrypted with AES-ECB under the master key.

GaP-Bleichenbacher Attack – MEGA can decrypt RSA ciphertexts using an expensive padding oracle attack.

The ETH Zurich team said MEGA’s introduction of additional client-side checks on the format of RSA private keys protects against the RSA key recovery attack but noted that the fix “significantly differs from our proposed countermeasures.”

Related: ETH Zurich Research: Simulated Phishing Tests Make Orgs Less Secure

Related: New Attacks Allow Bypassing EMV Card PIN Verification

Related: Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases

Related: Microsoft Confirms ‘NotLegit’ Azure Flaw Exposed Source Code

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.