Mega Cloud Storage Service was founded by Kim Dotcom and has been around for almost 10 years. According to the authors of the project, the service uses end-to-end encryption of user data, so even company employees cannot access it. However, a recent study showed that this is not the case.
During its existence, the mega user base has grown to 250 million people, and the amount of stored information is more than 1000 petabytes. A key feature that has helped the site grow is that the service encrypts user data, which other file hosting services like Dropbox don’t do. “As long as you make sure your password is strong enough and unique, no one will ever be able to access your data on Mega, even in exceptional cases when the entire Mega infrastructure is taken over.”– says the message of the service.
In fact, it turned out that user data is not so well protected. A study published this week shows that Mega, or the entity that controls the service’s infrastructure, may be able to access user data stored on the company’s servers. The message states that the architecture used by the service to encrypt files is riddled with serious cryptographic flaws, exploitation of which allows an attacker to fully recover the encryption key. This means that an attacker with access to the service infrastructure could decrypt user files or even replace them with malicious copies that are indistinguishable from the originals.
“We demonstrated that the Mega system fails to protect users from server-side malware and presented five different attacks that can be used together to compromise user file privacy. Additionally, the integrity of user data is compromised to the point where an attacker could inject malicious files that pass all client-side authentication.”the researchers said in a statement.
Researchers reportedly informed Mega about the discovered vulnerabilities in March this year. This week, the service started distributing an update to fix the vulnerabilities, but the patch released by the company cannot solve all the problems, according to the study’s authors.