![]() ![]() Their privacy guarantees to users are entirely based on policy. On 24 March 2022, a team of researchers from the Applied Cryptography group at the Department of Computer Science, ETH Zurich, alerted us to a total of five vulnerabilities in MEGA’s cryptographic architecture that would allow an attacker who is in control of MEGA’s API back-end or who is able to mount a TLS man-in-the-middle attack to undermine certain cryptographic assurances expected by MEGA users. For MEGA, as an end-to-end-encrypted (E2EE) storage provider with high standards, this is a serious matter, whereas for providers not using E2EE, such as Dropbox, OneDrive or Google Drive, a compromised back-end or man-in-the-middle attack is of course always fatal. Furthermore, files could have been placed in the account that appear to have been uploaded by the account holder (a “framing” attack). Files in the cloud drive could have been successively decrypted during subsequent logins. Once a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files and chats could have been decryptable. Very few: An attacker would have had to first gain control over the heart of MEGA’s server infrastructure or achieve a successful man-in-the-middle attack on the user’s TLS connection to MEGA. Who could have exploited the vulnerability? While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not. Note that resuming an existing session does not count as a login. They also confirmed that “he patches that MEGA developed to mitigate the original key recovery attack are effective against our improved attack as well, so updated clients are not vulnerable to the techniques presented in this work.” Update: On 14 July 2022, the University of California San Diego published additional research that reduced that threshold to just six. The ETH Zurich exploit required customers to log into their MEGA account at least 512 times (the more, the higher the exposure). ![]() ![]() Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities. Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |