Mega is not so secure: 5 ways to pierce its encryption

Surely many of you will know Mega, a New Zealand company engaged in the field of file sharing founded by Kim Dotcom. One of the most flaunted strengths is the fact of offering a "privacy by design", where the cryptographic keys are directly controlled by the user, so that only he will be able to access the files, even if the main system is requisitioned by law enforcement. However, it seems that this is not exactly true, given that the encryption experts at ETH Zurich have recently published a document in which they explain five possible attacks that can be carried out by possible attackers to compromise the confidentiality of the stored files. The PDF, titled "Mega: Malleable Encryption Goes Awry," highlights "significant shortcomings in Mega's cryptographic architecture." Mathias Ortmann, chief architect of Mega, published a blog post in which he announced that three of the five bugs found by the researchers have been fixed through an update, while other mitigations will come in the future. Specifically, he said that Mega intends to release a client fix for attack number four and remove the legacy code that allows attack number five.

The document drafted by the researchers reads: The first two attacks exploit the lack of integrity protection of the ciphers containing the keys (hereinafter referred to as key ciphers) and allow all user keys encrypted with the master key to be completely compromised, leading to a complete breach of data confidentiality in the MEGA system. The next two attacks violate the integrity of encrypted files and allow an attacker to place selected files in users' cloud storage. The latest attack is a Bleichenbacher-type attack against MEGA's RSA encryption mechanism. In practice, the main problem is that the method used by Mega to derive the various cryptographic keys used to authenticate and encrypt files does not check the integrity of the keys: an attacker can then tamper with the RSA private key and leak information. Kenneth Paterson, part of the group of researchers who discovered the vulnerabilities, expressed his disappointment on Twitter that the company has not committed to a complete review of its approach, but has limited itself to correcting the problems, as its encryption is "quite fragile".