MEGA's Cloud Storage Has Broken Encryption

This attack was an oracle attack. You need to login/logout at least 512 times (or 1024 times if you don't use a good statistical analysis) while your actual correct key is logged in. By using math you can prune a binary tree by knowing if your guess is above or below the binary representation of the key. It's iterative keyspace reduction. The way mega is running the login process/decryption process is leaking data because they aren't properly rejecting bad keys being used in a way that doesn't reveal data about the differences between the actual key and the given key.

Cutest-Bunny

I think this goes without saying, but if you decide to use a cloud provider encrypt your files before uploading them to your provider. Never trust any companies claims on how they store your data.

xp

Now where am I supposed to "securely" store gigabytes of questionable data other than my already fully filled up landfill hard drive?

Misuune

oh no, not my archive of deltarune fan art

vriskamoder

It sounds like sending a bunch of emails claiming to be a Nigerian prince who will upload 100 Bitcoin if you give him your password would be a lot easier than actually executing this exploit.

rightwingsafetysquad

*The attack is highly Impractical*
This attack requires for one to install a Custom Certificate on their System, themselves.
If you're someone who falls for Social Engineering so hard that you will install a Certificate.
Then, one could rather install a RAT instead using that same Social Engineering, as it'll be useful for much more than just the Mega Keys and you could directly Keylog anyway.

And, One of the other prerequisites of this attack is for the Victim to login 512 times manually, I personally can't find a single person who would manually Login 512 times in a row, as there is no Practical need for that anyway. And if you don't Login 512 times in a row, the attack is as good as nothing. Not to mention that all the login attempts would fail, which would alert people, or cause them to reset their Pass. And 2FA renders it all useless.

And Mental Outlaw either didn't get that part or maybe misunderstood it, Hashes of Complex Passwords definitely require quite a few attempts to guess it, but those could be automated once you have the hash. Which is what makes them important to have that many iterations.
But Here it's quite different, as the *user themselves* need to login 512 times or more in a row, in order for this attack to guess the proper key.

And if Mega or someone with server access needs credentials, they have much better ways than to use this Vulnerability.

Either way, this is not to say that you shouldn't take measures to properly protect your sensitive data before uploading it to a cloud based provider.
If it's really that sensitive, *Encrypt it On your End* and then upload.
But Mega is great for sharing stuff that you just need to protect from advertisers and data brokers without having to dive in much technicalities.
It'll be great tho if they somehow mitigated it.

wrockd

If you've successfully managed to get a bogus TLS certificate trusted by the user to carry out a MitM attack, then what's to stop you from sending a malicious version of MEGA's scripts that simply captures the user's credentials?

lachlanhunt

Mental Outlaw pls make a pc tour showing the programs you use, browser, extensions, etc. I'm 99% everyone watching would love one!

sallysalmons

This sounds completely irrelevant if they need to install software inside the victim's machine. At that point I'm already fucked either way

valcron-

The part where they recover individual bits from the key is a timing attack on the modular exponentiation stage of RSA. That works because 1s take a different amount of time than 0s, and exponentiation is slow enough that you don't need much precision to measure those time differences.

That's why they should use the Montgomery algorithm for modular exponentiation, it's more efficient, and allows you to easily implement a constant-time variant of the algorithm

Rudxain

It's one thing that the creator said he doesn't trust Mega anymore but the next sentence is what piqued my interest.
He wants to make a fully open sourced cloud share competitor with Wikipedia's business model of volunteer contributions.

MrRolnicek

If you weren’t encrypting your stuff before sending it to the internet you’re a fool.

markm

I guess their security is... (puts on mega broken"

toquitad

You're right. Encrypting the file before uploading it is much more secure.

IsaacFoster..

lol everybody panicking in the comments. just don't install random certs and don't log in and out of mega 512 times in a row. seems pretty easy

william_williams

Honestly at this point it's not a matter of *if* something has a security flaw, it's a matter of how bad that flaw is.

ronaldiplodicus

Good thing I only store some hentai and the Ren and Stimpy show in the cloud, I only create parrot accounts to get free storage anyway.

I hope they fix the encryption though.

skinwalker

MitM is the point, where hack happened.
What was made afterwards is not so important.
I do not agree with "MEGA has broken encryption" statement.
These attacks were more theoretical, than practical.

sdjhgfkshfswdfhskljh

Oh my! I'm glad I looked this up before I started an account. Thanks

aquaearthnfirequ_pinsnsavi

TL;DR: Files should *always* be locally encrypted before U/L to any "cloud provider" (someone else's computer). Seems obvious, but I'd have trouble buying gas if everyone did so.

theITGuy-nont