ETH Zurich finds flaws in the firm’s cryptographic infrastructure

MEGA claims that its storage service is private by design, but according to researchers, the technology is beset with “serious” security issues.

Based in New Zealand, MEGA is a cloud storage service and messaging platform that offers end-to-end encryption to more than 250 million users. MEGA also allows users to make audio and video calls.

The company calls itself a “zero-knowledge” encryption service built with “privacy by design”.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key,” the organization says. “MEGA does not have access to your password or your data.”

However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary.

ETH Zurich cryptography researchers Matilda Backendal, Miro Haller, and Professor Kenneth Paterson analyzed MEGA’s source code and cryptographic architecture, uncovering a total of five vulnerabilities.

Encryption cracked

After recreating part of the MEGA platform and attempting to brute-force their own accounts, the team says they found that using one main key represents a “fundamental” weakness in the service.

A paper (PDF) describing the flaw says that the MEGA client derives an authentication key from a user’s password. This key is then used to encrypt other key material, files, and more.

A lack of integrity protection of ciphertexts containing keys breaks the confidentiality of the master key and overall encryption system, according to the researchers. This permits integrity attacks, RSA key and plaintext recovery attacks, and establishes an RSA decryption attack vector.


Catch up on the latest cloud security-related news


By hijacking only a session ID, it takes a maximum of 512 login attempts to break into a MEGA account.

“An additional manipulation of the MEGA software program on the computer of the victim can force their user account to constantly log in automatically,” the researchers said. “This shortens the time needed to fully reveal the key to just a few minutes.”

It then may be possible to compromise other keys used on the MEGA platform.

Potential post-attack vectors could include stealing user data or even uploading files – such as illegal or compromising images and video – locking up the account, and then blackmailing the targeted individual.

MEGA response

Paterson said the team reported its findings to MEGA on March 24 and proposed ways to resolve the security holes.

While MEGA apparently “decided to react in ways that are different than what we suggested,” according to the researcher, the initial attack vector on the RSA key has now been patched.

When approached for comment, MEGA pointed us toward a security advisory which says the first fix has been rolled out and additional patches are being developed.

According to MEGA, only customers that have logged into their account at least 512 times could be at risk – and this does not include resuming existing sessions.

Furthermore, the organization says that to take advantage of the cryptographic flaws, attackers would need to “gain control over the heart of MEGA’s server infrastructure or achieve a successful man[ipulator]-in-the-middle attack on the user’s TLS connection to MEGA”.

“The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA’s API servers or TLS connections without being noticed,” the firm added.

The Daily Swig passed on this reaction to researchers at ETH Zurich who responded by saying MEGA had only resolved some of the security shortcomings that they had identified:


As detailed on the webpage of the paper [1], we contacted MEGA on March 24, 2022, to inform them of the vulnerabilities. They responded the same day and acknowledged the issues. They have been very open and communicative throughout. As part of our disclosure, we provided them with three sets of countermeasures, ranging from ‘immediate’ to ‘recommended’.

MEGA decided to go with a different patch, which protects against the first three out of our five attacks. You can read more about this in their blog post [2]. We continue to stand by our recommended countermeasures, which we believe would protect against our attacks (and others) in a more robust way than the fix that MEGA decided for.


YOU MIGHT ALSO LIKE Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services