Researchers from the Applied Cryptography Group at ETH Zurich have revealed five vulnerabilities in Mega’s cryptographic architecture, opening the cloud storage service up to as many as five different attacks that can expose users’ data or even let the attacker upload incriminating or malicious files in an account.
According to the researchers, Mega’s cryptographic architecture has several fundamental cryptography flaws that allow an attacker with access to Mega’s API backend or launch a TLS man-in-the-middle attack to target users.
Threat actors can incrementally gain information whenever a Mega user logs into their account. After 512 such attempts, the collected data allows the attacker to decrypt the user’s account at least partially, with more logins aiding in further decryption.
Other than this, an attacker can also insert malicious files into a user’s account provided they know at least one file link exported by the user. Last but not least, Mega’s legacy chat key exchange mechanism also opens users to attacks.
Mega’s integrity issues
The researchers found that Mega’s cryptography hierarchy doesn’t have any way to check for key integrity. This indicates that instead of completely rejecting an invalid key, Mega servers will continue to interact with it, opening them up to a key recovery attack.
The researchers have listed the following five attacks:
- RSA Key Recovery Attack: A user’s RSA private key can be recovered by maliciously tampering with 512 login attempts.
- Plaintext Recovery: Mega can decrypt key materials, including node keys and use them to decrypt all user communication and files.
- Framing Attack: Attackers can insert arbitrary files into the user’s storage. These files are indistinguishable from the ones genuinely uploaded.
- Integrity Attack: Has the same impact as Framing attacks.
- GaP-Bleichenbacher Attack: RSA ciphertexts can be decrypted using an expensive padding oracle attack.
Decade of promises under threat
Mega has since patched the specific proof-of-concept attack that the researchers demonstrated by adding additional client-side checks on the format of RSA private keys. However, Mega’s patch specifically targets the researcher’s exploits and differs significantly from the proposed countermeasures.
Mega’s advisory also points out that these attacks are theoretically rather hard to perform, including the key recovery exploit, which most other attacks follow. Additionally, Mega uses session IDs that remove the hassle of logging in every time, meaning reaching 512 login attempts with the right password over a MITM attack would be quite tricky and time-consuming.
However, the researchers state that a sufficiently motivated attacker could perform the RSA key recovery attack, despite the 512 attempt bottleneck. Additionally, the integrity attack can be performed without the RSA key if the attacker knows a single AES-ECB plaintext-ciphertext pair under the master key, which can be obtained from Mega’s file sharing links.
It’s unclear if Mega is planning on following the researcher’s immediate and long-term mitigations considering the load and traffic implications of having to re-encrypt over 1000 petabytes of data. Backwards compatibility would also be an issue as significant changes can render some user data unusable.