Critical Flaws in MEGA Cloud Storage Let Attacker Decrypt User Data

The experts at one of Europe’s leading universities, ETH Zurich, Switzerland reported a critical vulnerability in MEGA cloud storage that allows the attacker to decrypt the user data.

MEGA is a cloud storage and file hosting service offered by MEGA Limited, a company based in Auckland, New Zealand. The service is offered through web-based apps. MEGA mobile apps are also available for Android and iOS.  The company is known for the largest fully featured free cloud storage in the world with 20 GB storage allocation for free accounts.

MEGA has released software updates that fix a critical vulnerability that exposes user data.

How the Attack is carried out?

The researchers say an attacker would have gained control over the heart of MEGA’s server infrastructure or achieved a successful man-in-the-middle attack on the user’s TLS connection to MEGA.

When a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files, and chats could have been decryptable. Files in the cloud drive could have been successively decrypted during subsequent logins. In addition, files could have been placed in the account that appears to have been uploaded by the account holder (a “framing” attack).

A team of researchers from the Applied Cryptography Group at the Department of Computer Science, ETH Zurich, reported a total of five vulnerabilities in MEGA’s cryptographic architecture.

Five Attacks Identified by the Researchers The Identified Vulnerabilities Incrementally accumulate some information every time a MEGA user logs in.After a minimum of 512 such logins, the collected

Read more

Explore the site

More from the blog

Latest News