Security News > 2022 > June > Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service

A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data.

In a paper titled "MEGA: Malleable Encryption Goes Awry," the researchers point out how MEGA's system does not protect its users against a malicious server, thereby enabling a rogue actor to fully compromise the privacy of the uploaded files.

Plaintext Recovery Attack, which allows MEGA to decrypt node keys - an encryption key associated with every uploaded file and are encrypted with a user's master key - and use them to decrypt all user communication and files.

Framing Attack, wherein MEGA can insert arbitrary files into the user's file storage that are indistinguishable from genuinely uploaded ones.

"Each user has a public RSA key used by other users or MEGA to encrypt data for the owner, and a private key used by the user themselves to decrypt data shared with them," the researchers explained.

"The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA's API servers or TLS connections without being noticed," Ortmann pointed out.

News URL

https://thehackernews.com/2022/06/researchers-uncover-ways-to-break.html