One of the world's most popular cloud storage service providers (Opens in a new tab) had several serious vulnerabilities that allowed threat actors to read even encrypted files (Opens in a new tab), researchers found .
A team from ETH Zurich discovered five vulnerabilities in the Mega platform that revolve around the theft and decryption of an RSA key (a private key based on the RSA algorithm).
The team discovered the flaws at the end of March this year and reported them to the company. Soon, Mega released fixes and mitigations for some of the flaws, while for others the fixes are still in progress. The patches do not affect the user experience or require users to re-encrypt their stored data, it said. They also don't need to change passwords or create new keys.
Ideal for dissatisfied employees.
While the fixes aren't available for all flaws, that's definitely bad news, but the good news is that Mega has yet to see anyone exploit them in the wild. There is no concrete timeline as to when the remaining patches will be released.
In a video explanation of the flaw, the researchers said that the attack is based on the prime factor assumption in comparison, and that the attacker would need at least 512 connection attempts to breach an endpoint (opens in a new tab) . In addition, they would also need access to Mega's servers, which means that for external threats, the vulnerabilities are not exactly viable.
However, for insiders or disgruntled employees, it's a completely different story.
"Watching seemingly innocuous cryptographic design shortcuts taken nearly a decade ago backfire on three of the industry's brightest minds is both chilling and intellectually fascinating," Mega said in a statement.
"The very high exploitability threshold, despite the wide range of identified cryptographic vulnerabilities, provides some relief."
A detailed breakdown of the flaw and MEGA countermeasures can be found at this link (opens in a new tab).
Via: BleepingComputer (Opens in a new tab)