MEGA is a cloud storage service that has long prided itself on being zero-knowledge, meaning the company had no way of decrypting files stored on its servers. Unfortunately, a cryptographers studio in June 2022 found a major vulnerability in service encryption. This new MEGA security flaw makes it theoretically possible for the company to retrieve a user’s RSA private key and decrypt their files.
- Cryptographic researchers have exposed critical flaws and serious vulnerabilities in the way MEGA’s cloud storage service handles its users’ encryption keys.
- MEGA has issued a security patch, but researchers say fully fixing the problem will require a complete redesign of its system, removing legacy code and issuing new keys to all user accounts, taking months at best.
- The attack relies on a high threshold of effort on MEGA’s part, as a user’s RSA key pair must be specifically targeted.
Private encryption has always been the cornerstone of how MEGA presents itself to customers. This is not surprising because private encryption not only improves the privacy of user data, but also serves as plausible deniability regarding copyright infringement, which was the bane of MEGA’s predecessor, Megaupload.
So it’s doubly concerning to MEGA that researchers have identified cryptographic flaws in its architecture, which could allow a malicious service provider (i.e., someone who controls MEGA’s infrastructure) to retrieve a user’s master key and use it. to decrypt user data stored on the servers. .
Furthermore, the same attack would allow the attacker to insert chosen files into the user’s file storage, which would look identical to those uploaded by the user himself. Stay with us as we discuss what this means for users and the future of MEGA.
Yes, MEGA is a secure service. No outside party could exploit the vulnerability in the MEGA encryption.
Unfortunately not. Although it is unlikely that MEGA will try to gain access to your files, the fact is that it is theoretically possible, especially if the authorities force the company to target specific users.
MEGA claims no, but there really is no way we can answer this question with complete certainty. That said, bypassing MEGA’s encryption requires an attack on an individual user, so it seems unlikely that MEGA would get involved in this.
Yes, regardless of this vulnerability, MEGA’s encryption remains end-to-end.
What is the MEGA 2022 security flaw?
The security flaw revolves around how MEGA’s RSA encryption mechanism handles attempts to access a user’s private key, which is stored in encrypted form on MEGA’s servers. The flaw is specifically related to the lack of integrity protection.
Upon decryption of the encrypted private key, a internal MEGA attacker could reduce the possible keys with each login attempt. After enough successful logins (512 to be exact), an attacker could get their hands on the real thing.
For a more technical explanation, the authors of the article describe on your website:
“An entity that controls the core infrastructure of MEGA can alter the encrypted RSA private key and trick the client into leaking information about one of the main factors of the RSA module during the session ID exchange.
More specifically, the session ID that the client decrypts with the garbled private key and sends to the server will reveal whether the prime number is less than or greater than a value chosen by the adversary.
This information enables a binary lookup of the prime factor, with a match per client login attempt, allowing the adversary to retrieve the private RSA key after 1023 client logins. Using lattice cryptanalysis, the number of login attempts required for the attack can be reduced to 512.”
The document goes on to detail five different types of attacks, including:
- RSA key attack with proof of concept
- Plain text recovery attack
- framing attack
- integrity attack
- GaP-Bliechenbacher attack
The exact details of how these attacks work aren’t important for our purposes here, but you can head to the research website linked above for detailed technical explanations from the researchers themselves.
Can MEGA fix the problem?
MEGA has already done it issued a patch, but investigators had their own ideas about what the company needed to do to bolster its defenses. These range from intermediate ad-hoc solutions that can be implemented quickly to a fundamental redesign of MEGA’s architecture.
To implement the most comprehensive fixes, MEGA users would need to download and re-encrypt all of their data.
This may not sound like a big deal, but given that MEGA stores over 1000 petabytes of data on its servers, the time required and the cost in terms of server fees would be astronomical. The researchers estimate that such a maneuver would take a minimum of six months, even under ideal circumstances.
MEGA security patch
The researchers informed MEGA about the flaw in March 2022. They suggested several large-scale solutions that would solve the problem with MEGA’s cryptography, but most of them would require a great deal of effort and cost on MEGA’s part.
Instead, MEGA issued a security patch that directly fixes the key recovery attack, rather than making sweeping changes to its security architecture. Whether or not this completely negates the problem is hard to say, but the researchers point out that this is an ad-hoc solution that falls well short of the proposed solutions.
While this was the type of attack used in the proof of concept, the researchers outlined four other possible types of attacks that may be possible, including a plaintext retrieval attack, a frame attack, an integrity attack, and an attack. GaP-Bliechenbacher attack.
How safe is MEGA now?
While this flaw is certainly a blow to the service’s image as a privacy-focused service, MEGA is still a secure cloud storage service. The newly discovered vulnerability requires control of the service infrastructure, as well as significant effort on the part of MEGA to exploit.
That is, unless the target account has already logged in more than 512 times, which is likely a small fraction of the total user base. Even then, if you are among the users who have logged in so many times, MEGA claims that it was not aware of this flaw and would not have been monitoring session IDs.
Whether you believe them or not is up to you.
That said, it’s not out of the question to imagine intelligence agencies or law enforcement twisting MEGA’s arm to target individual users.
While the new security patch fixed the specific proof of concept developed by the researchers that could trigger a large number of login attempts very quickly, there are probably many more ways this could be achieved if the attacker is MEGA.
MEGA is zero knowledge?
When all is said and done, it’s hard to argue that MEGA still qualifies as a zero-knowledge service. It still uses private end-to-end encryption, and while it would certainly require a lot more effort on MEGA’s part to decrypt user data than Google or Microsoft, the fact is that it has been shown to be theoretically possible.
How the MEGA security flaw affects our cloud storage service ratings
Although the vulnerability is a major blow to the service, we are still confident in recommending MEGA to most users, albeit now with a warning about user privacy and its potentially flawed private encryption. The fact is that even with this weakness, MEGA is still significantly more private than other more conventional services.
With that said, we will update our reviews as well as our ratings to reflect the critical vulnerability reported by researchers, meaning the service will take a hit on the privacy front in our reviews and articles.
That is all the information we have about the reported security vulnerability in the MEGA architecture. If you feel like you want a deeper understanding of the technicalities, we recommend checking out the researchers’ website, or if you’re really hungry for details, the document itself.
We hope we managed to shed some light on the issue and what it means for your MEGA account and uploaded files. What do you think of this development? Do you see this as an honest mistake on MEGA’s part, or a nefarious ploy to hide problems with their encryption from their users? Let us know in the comments below, and as always, thanks for reading.