Mega's Security Appears To Be Surprisingly Bad

from the trial-by-fire dept

We were a little skeptical of Kim Dotcom's new Mega cloud storage offering, in part because the claims of security and privacy seemed somewhat dubious upfront. We didn't see how it would be reasonably possible to do everything the service claimed it was doing in a manner that really kept the data secret. And, indeed, it has not taken long for security researchers around the globe to raise questions. Right away there were significant questions about the security design choices, including some questions about how random the random key generation really was, as well as significant concerns about Mega's claims that it offered deduplification (if things were really encrypted correctly, there would be nothing to deduplicate).

While Mega has responded to some of those criticisms, a whole host of other security questions have been raised, leading cryptographer Nadim Kobeissi to tell Forbes: "Quite frankly it felt like I had coded this in 2011 while drunk." A big part of the problem is that, by doing everything in the browser, you're really still trusting Mega, even as Mega implies that you have full control over the encryption.

And, then comes the news that when you first sign up, while Mega hashes your password, it sends you an email that includes the hash in plain text along with other data, such that one hacker has already released a tool to extract passwords from Mega's confirmation emails:
Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.
Users still need to crack the hashed password, but that's a relatively easy brute force effort, especially for those who use weaker passwords (i.e., most people). There are, of course, much more secure ways of handling this, such as not including the plain text hash in the email.

All that said, many of these problems can be fixed, but when your whole pitch to the public is about how secure and private you are -- and some have been falsely implying that such a system allows individuals to avoid copyright infringement claims -- it seems reasonable to suggest that better security should be in place from the beginning.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Hephaestus (profile), Jan 23rd, 2013 @ 10:13am

    "including some questions about how random the random key generation really was, as well as significant concerns about Mega's claims that it offered deduplification"

    The deduplication can be something as simple as a CRC checksum being generated pre-encryption. If they use a one way hash on it, generate a distinct hash key per user, and only link that to the specific users account. I do not see a problem.

    If however this is system wide deduplication, it opens them up to more of the same DOJ BS they were nailed with before.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Jeremy Lyman (profile), Jan 23rd, 2013 @ 11:43am

      Re:

      I read a comment at ARS that tried to explain the dedup in a sharing context. If you upload a file and share it with a friend, it wouldn't be physically copied and encrypted again into his Mega account. His account would just possess the key required to access that original file, and so on as it is shared.

      I'm not sure if that's really what Mega is referring to, or if they're doing some pre-encryption analysis, but it seems a lot more reasonable and less intrusive to me.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        PRMan, Jan 23rd, 2013 @ 1:13pm

        Re: Re:

        I have also seen discussed a method whereby the hash of the data of the file is the key to encrypt the file. Therefore, the same file always looks the same, even encrypted, but there is still no way to tell what it is without the key.

        Using this method, they could do deduplication, but still not know what they have.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      AdamF (profile), Jan 23rd, 2013 @ 11:44am

      Re:

      The problem with deduplication is that if somebody provides Mega with a file, Mega is able to determine which users have uploaded that same file. So it is not an issue if you are uploading family pictures or personal documents, but it is an issue if you are uploading anything from the internet.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Jan 23rd, 2013 @ 12:41pm

      Re:

      I do not see a problem.


      The problem would be collisions. A checksum (or a hash) is not guaranteed to be unique to a given dataset. if two different datasets happen to result in the same checksum or hash, then the deduplication will catastrophically fail.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Rikuo (profile), Jan 23rd, 2013 @ 11:25am

    Earlier today, I went on to a forum I'm a member of, where users can put up links to anime episodes on cyberlockers. Someone had uploaded an episode to the new Mega, and so, I thought I'd give it a try. I thought that, what with all the talk about need keys to decrypt, that I would at best just get an encrypted mess of garbage. Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom (which by the way, I'm mightily confused over: why the fuck is he still abiding by it, given that he's arranged things so that he has no US presence or connections at all?).

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Jan 23rd, 2013 @ 11:29am

      Re:

      Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom

      When you generate a link it can include the key in the link or you can deliver the key separately. But for sharing things on a widespread nature, you're always going to include the key -- which was the point we raised in our original article about this, and why the talk of encryption is sort of overhyped.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Rikuo (profile), Jan 23rd, 2013 @ 11:31am

        Re: Re:

        Yeah, I can only imagine what it would be like having to answer emails all day asking for the decrypt key...sorta like what would happen in a world that obeyed copyright perfectly, except instead of giving a key, you're giving permission (which is basically the same thing).

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        JWW (profile), Jan 23rd, 2013 @ 12:05pm

        Re: Re:

        It would be great if the terms of service for the website forbid any officers or officials at MPAA or RIAA companies from using the keys.

        That way, they'll never be able to tell if copyrighted material has been uploaded to Mega without being in violation of the sites terms and conditions.

        Then we can get the feds to throw the book at the RIAA and MPAA for hacking Mega!!!

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Lord Binky, Jan 23rd, 2013 @ 11:30am

    This is done to remove their knowledge of the content being stored.

    The intent is not about preventing anyone from unencrypting the data.

    Under the DMCA, circumventing ANY protection is illegal, no matter how trivial the protection is. To Identify if the content is legal, then an entity has to break the law without the encryption key. So sending a take down notice would be admitting you broke the law without thorough documentation how you gained access to the content.

    They are trying hide behind the same laws that are used against them. Exactly how the game is played.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Lord Binky, Jan 23rd, 2013 @ 11:36am

      Re:

      All it really needs is a tool that cracks the encryption in under a minute, and then the uploader shares the link and not the shared key.

      Most people could download and crack the trivial encryption, which would be illegal but of no significance to most people. That would be significant for ordinary take down notice groups though, especially troublesome when things go to court.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 23rd, 2013 @ 11:44am

      Re:

      Hadn't thought of it that way, but I would say that it does have a certain irony in it.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Kenneth Michaels, Jan 23rd, 2013 @ 12:23pm

        Not really, according to the DMCA

        This would be a clever use of the encryption, but it doesn't jive with the law.

        Pirates could decrypt/crack the content without violating the anti-circumvention portion of the DMCA. The DMCA defines “effectively control[ing] access to a work” to be controlling access to a work *with the authority of the copyright owner.* So, the encryption added to a copyrighted work (not owned by Mega or the user) would not be with the authority of the copyright owner.

        On the other hand, the copyright owner can also decrpyt his own work without violating the anti-circumvention part of the DMCA. Also, the DMCA defines to “circumvent a technological measure” to be to circumvent *without the authority of the copyright owner.* So, the copyright owner can always circumvent any DRM on his own work.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Lord Binky, Jan 23rd, 2013 @ 12:29pm

          Re: Not really, according to the DMCA

          So every time they decrypt something that is not owned by them they are still breaking the law?

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          Lord Binky, Jan 23rd, 2013 @ 12:34pm

          Re: Not really, according to the DMCA

          Doesn't proving they KNEW for a fact it was theirs and they would not be violating a law also provide a great argument point for lawyers?

          Making life hell for each other is the driving force behind all this crap anyways, so it seems it would still achieve that point fairly well.

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      Zakida Paul (profile), Jan 23rd, 2013 @ 11:47am

      Re:

      Very much this. The encryption is not so much about user privacy or security as it is about using the law in his own favour.

      Quite a clever move, I must say.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 23rd, 2013 @ 12:03pm

      Re:

      It would take a special kind of plaintiff to see that actually tested though.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 23rd, 2013 @ 11:38am

    Apparently, their service only works if it can write files from JavaScript and is thus unusable in anything other than Chrome. As long as that's the case it will never reach the popularity of the old Megaupload.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Kenneth Michaels, Jan 23rd, 2013 @ 12:29pm

      Re: Google Driving Piracy

      So, Mega.co.nz only works with Google's Chrome browser. Once again, we see that Google is driving piracy. Google is the parasitic piracy leader, stealing copyrighted works and serving them to the world against their ads.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Suzanne Lainson (profile), Jan 24th, 2013 @ 10:18pm

        Re: Re: Google Driving Piracy

        This came out a few days ago, but I am only now getting around to reading it.

        Dotcom: Now I'm After Google | Stuff.co.nz: "'Right now Google is linking to all this content and even though Google is a great company and I love them and their attitude, Google is the largest index of pirated content in the world and they don't pay any licence holder and they are in business and they are doing really well,' he said.

        "'So if my software can force companies like Google to pay their little share to content creators, it wouldn't really hurt them.'"

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          F!, Jan 24th, 2013 @ 10:57pm

          Re: Re: Re: Google Driving Piracy

          Somehow I'd missed that article too, thanks for sharing.

          What caught my eye:
          "He also repeated his willingness to help make a second undersea fibre cable from New Zealand to America a reality. However, he said it would be better placed into Panama rather than the US."

          This raises a good point - if connecting to/through the USA can be at all avoided, by all means go through somewhere else. Panama doesn't like taking orders from the USA, so that may help protect from any filtering traffic would be subject to when routed through the USA.

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      F!, Jan 24th, 2013 @ 11:07pm

      Re:

      What are you talking about? That sentence is pure gobbledygook. I realize I'm talking to an AC, but source please?

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    BentFranklin (profile), Jan 23rd, 2013 @ 11:45am

    You could solve the problem of trusting their encryption by encrypting with yours first, but that was always the case.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 23rd, 2013 @ 12:27pm

    Dotcom has put out a challenge. check the post on Torrentfreak

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 23rd, 2013 @ 1:19pm

    Mega has a response to the issues raised.

    https://mega.co.nz/#blog_3

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Ann Onymous, Jan 23rd, 2013 @ 1:50pm

    I just want to point out that brute forcing the AES "hash" is not easy. They use 65536 iterations of the full AES block cipher. Even on Ivy Bridge CPUs with dedicated AES hardware, you still only get about 4500 guesses per second. If you use a random [a-zA-Z0-9]{10} password, it would take ~591,000 of these Ivy Bridge CPUs to crack it within 10 years. Good password hygiene and adhering to good sense should keep you safe from MegaCracker.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 23rd, 2013 @ 3:53pm

    This is fascinating and all, but does it matter to me, the standard Mega user? All I care is that it's Megaupload 2: The Reuploading. It'll last for a few years, and then it'll get taken down again; until then, I have a place to share materials that are probably illegal somewhere for some reason or the other. When it gets taken down, someone else will have something new for me to use.

    If Megaupload users didn't get sued when Megaupload got taken down, what do we care how secure Mega is? It sounds to me like encryption is just a way to give Mega some legitimacy, which it will never have, and it's giving me some real cognitive dissonance headaches here. This is the wild west, and while someday the law might clean up the mexican standoffs, we'll have found an entirely new medium by then.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 23rd, 2013 @ 4:33pm

    Perhaps a bit early for this reaction?

    We don't actually know for certain they will do any deduplication, or even that they are capable of it - we only know that their T&C reserves the right to do it.
    A fairly big leap.

    The password hash in email is a concern (although perhaps not a massive one), but doesn't seem to be nearly enough to say "Mega has bad security."

    Over the top, and too early.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    F!, Jan 23rd, 2013 @ 10:46pm

    Mega's Response

    Mega has issued a response to the allegations (as previously pointed out by the AC above):
    https://mega.co.nz/#blog_3

    In the end, Mega remains far more secure than virtually all major cyber-lockers (e.g. DropBox, which is a security minefield) due to the fact that they are encrypting everything by default. Keep in mind though, they are doing it primarily for their own protection rather than their user's. The fact that it helps protect the user as well is just the icing.

    Basically the allegations boil down to astroturfing by people with an agenda against Kim and/or Mega. If you're really worried about it, encrypt everything on your end before adding Mega's layer of security.

    Of course everyone is already doing the right thing and encrypting everything anyway... RIGHT!?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Jan 24th, 2013 @ 2:47am

    I think it'll evolve with time. As for mailing the keys, well you should be protecting your e-mail too so I don't really see a problem here...

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This