Mega's Security Appears To Be Surprisingly Bad

from the trial-by-fire dept

We were a little skeptical of Kim Dotcom’s new Mega cloud storage offering, in part because the claims of security and privacy seemed somewhat dubious upfront. We didn’t see how it would be reasonably possible to do everything the service claimed it was doing in a manner that really kept the data secret. And, indeed, it has not taken long for security researchers around the globe to raise questions. Right away there were significant questions about the security design choices, including some questions about how random the random key generation really was, as well as significant concerns about Mega’s claims that it offered deduplification (if things were really encrypted correctly, there would be nothing to deduplicate).

While Mega has responded to some of those criticisms, a whole host of other security questions have been raised, leading cryptographer Nadim Kobeissi to tell Forbes: “Quite frankly it felt like I had coded this in 2011 while drunk.” A big part of the problem is that, by doing everything in the browser, you’re really still trusting Mega, even as Mega implies that you have full control over the encryption.

And, then comes the news that when you first sign up, while Mega hashes your password, it sends you an email that includes the hash in plain text along with other data, such that one hacker has already released a tool to extract passwords from Mega’s confirmation emails:

Steve “Sc00bz” Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

Users still need to crack the hashed password, but that’s a relatively easy brute force effort, especially for those who use weaker passwords (i.e., most people). There are, of course, much more secure ways of handling this, such as not including the plain text hash in the email.

All that said, many of these problems can be fixed, but when your whole pitch to the public is about how secure and private you are — and some have been falsely implying that such a system allows individuals to avoid copyright infringement claims — it seems reasonable to suggest that better security should be in place from the beginning.

Filed Under: , ,
Companies: mega

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Mega's Security Appears To Be Surprisingly Bad”

Subscribe: RSS Leave a comment
33 Comments
Hephaestus (profile) says:

“including some questions about how random the random key generation really was, as well as significant concerns about Mega’s claims that it offered deduplification”

The deduplication can be something as simple as a CRC checksum being generated pre-encryption. If they use a one way hash on it, generate a distinct hash key per user, and only link that to the specific users account. I do not see a problem.

If however this is system wide deduplication, it opens them up to more of the same DOJ BS they were nailed with before.

Jeremy Lyman (profile) says:

Re: Re:

I read a comment at ARS that tried to explain the dedup in a sharing context. If you upload a file and share it with a friend, it wouldn’t be physically copied and encrypted again into his Mega account. His account would just possess the key required to access that original file, and so on as it is shared.

I’m not sure if that’s really what Mega is referring to, or if they’re doing some pre-encryption analysis, but it seems a lot more reasonable and less intrusive to me.

Rikuo (profile) says:

Earlier today, I went on to a forum I’m a member of, where users can put up links to anime episodes on cyberlockers. Someone had uploaded an episode to the new Mega, and so, I thought I’d give it a try. I thought that, what with all the talk about need keys to decrypt, that I would at best just get an encrypted mess of garbage. Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom (which by the way, I’m mightily confused over: why the fuck is he still abiding by it, given that he’s arranged things so that he has no US presence or connections at all?).

Mike Masnick (profile) says:

Re: Re:

Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom

When you generate a link it can include the key in the link or you can deliver the key separately. But for sharing things on a widespread nature, you’re always going to include the key — which was the point we raised in our original article about this, and why the talk of encryption is sort of overhyped.

JWW (profile) says:

Re: Re: Re:

It would be great if the terms of service for the website forbid any officers or officials at MPAA or RIAA companies from using the keys.

That way, they’ll never be able to tell if copyrighted material has been uploaded to Mega without being in violation of the sites terms and conditions.

Then we can get the feds to throw the book at the RIAA and MPAA for hacking Mega!!!

Lord Binky says:

This is done to remove their knowledge of the content being stored.

The intent is not about preventing anyone from unencrypting the data.

Under the DMCA, circumventing ANY protection is illegal, no matter how trivial the protection is. To Identify if the content is legal, then an entity has to break the law without the encryption key. So sending a take down notice would be admitting you broke the law without thorough documentation how you gained access to the content.

They are trying hide behind the same laws that are used against them. Exactly how the game is played.

Lord Binky says:

Re: Re:

All it really needs is a tool that cracks the encryption in under a minute, and then the uploader shares the link and not the shared key.

Most people could download and crack the trivial encryption, which would be illegal but of no significance to most people. That would be significant for ordinary take down notice groups though, especially troublesome when things go to court.

Kenneth Michaels (profile) says:

Re: Re: Not really, according to the DMCA

This would be a clever use of the encryption, but it doesn’t jive with the law.

Pirates could decrypt/crack the content without violating the anti-circumvention portion of the DMCA. The DMCA defines ?effectively control[ing] access to a work? to be controlling access to a work with the authority of the copyright owner. So, the encryption added to a copyrighted work (not owned by Mega or the user) would not be with the authority of the copyright owner.

On the other hand, the copyright owner can also decrpyt his own work without violating the anti-circumvention part of the DMCA. Also, the DMCA defines to ?circumvent a technological measure? to be to circumvent without the authority of the copyright owner. So, the copyright owner can always circumvent any DRM on his own work.

Suzanne Lainson (profile) says:

Re: Re: Google Driving Piracy

This came out a few days ago, but I am only now getting around to reading it.

Dotcom: Now I’m After Google | Stuff.co.nz: “‘Right now Google is linking to all this content and even though Google is a great company and I love them and their attitude, Google is the largest index of pirated content in the world and they don’t pay any licence holder and they are in business and they are doing really well,’ he said.

“‘So if my software can force companies like Google to pay their little share to content creators, it wouldn’t really hurt them.'”

F! says:

Re: Re: Re: Google Driving Piracy

Somehow I’d missed that article too, thanks for sharing.

What caught my eye:
“He also repeated his willingness to help make a second undersea fibre cable from New Zealand to America a reality. However, he said it would be better placed into Panama rather than the US.”

This raises a good point – if connecting to/through the USA can be at all avoided, by all means go through somewhere else. Panama doesn’t like taking orders from the USA, so that may help protect from any filtering traffic would be subject to when routed through the USA.

Ann Onymous says:

I just want to point out that brute forcing the AES “hash” is not easy. They use 65536 iterations of the full AES block cipher. Even on Ivy Bridge CPUs with dedicated AES hardware, you still only get about 4500 guesses per second. If you use a random [a-zA-Z0-9]{10} password, it would take ~591,000 of these Ivy Bridge CPUs to crack it within 10 years. Good password hygiene and adhering to good sense should keep you safe from MegaCracker.

Anonymous Coward says:

This is fascinating and all, but does it matter to me, the standard Mega user? All I care is that it’s Megaupload 2: The Reuploading. It’ll last for a few years, and then it’ll get taken down again; until then, I have a place to share materials that are probably illegal somewhere for some reason or the other. When it gets taken down, someone else will have something new for me to use.

If Megaupload users didn’t get sued when Megaupload got taken down, what do we care how secure Mega is? It sounds to me like encryption is just a way to give Mega some legitimacy, which it will never have, and it’s giving me some real cognitive dissonance headaches here. This is the wild west, and while someday the law might clean up the mexican standoffs, we’ll have found an entirely new medium by then.

Anonymous Coward says:

Perhaps a bit early for this reaction?

We don’t actually know for certain they will do any deduplication, or even that they are capable of it – we only know that their T&C reserves the right to do it.
A fairly big leap.

The password hash in email is a concern (although perhaps not a massive one), but doesn’t seem to be nearly enough to say “Mega has bad security.”

Over the top, and too early.

F! says:

Mega's Response

Mega has issued a response to the allegations (as previously pointed out by the AC above):
https://mega.co.nz/#blog_3

In the end, Mega remains far more secure than virtually all major cyber-lockers (e.g. DropBox, which is a security minefield) due to the fact that they are encrypting everything by default. Keep in mind though, they are doing it primarily for their own protection rather than their user’s. The fact that it helps protect the user as well is just the icing.

Basically the allegations boil down to astroturfing by people with an agenda against Kim and/or Mega. If you’re really worried about it, encrypt everything on your end before adding Mega’s layer of security.

Of course everyone is already doing the right thing and encrypting everything anyway… RIGHT!?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...