Posted on June 23, 2022 at 8:14 PM
Researchers from academics at ETH Zurich have discovered a series of vulnerabilities in the MEGA cloud storage service that can be exploited to expose and steal users’ data. The research, titled “MEGA: Malleable Encryption Goes Awry,” shows how the MEGA system puts its users at high risk of attack. It has little or no protection for the user in case of a malicious server. The vulnerability allows threat actors to launch an attack and compromise the user’s system.
MEGA Has Over 10 Million Daily Users
Also, the user’s data has damaged its reliability to a high extent. As a result, the threat actor can plant malicious files of their own to easily circumvent the authenticity checks of the targeted system. Researchers at ETH Zurich, Kenneth G, Miro Haller, and Matilda Backendal said the bug could put several users in danger of being exploited by threat actors.
MEGA claims to have over 122 billion files uploaded to the platform. The company has more than 10 million daily active users and advertises itself as a “privacy company”. It claims to offer users user-controlled end-to-end encrypted cloud storage.
But it has failed to deal with several vulnerabilities that have kept users’ files at risk of exploitation. With this number of users, threat actors will have a field day exploiting several accounts on the platform.
One of the major vulnerabilities discovered in the system is the RSA Key Recovery Attack. It enables a threat actor with skills to have strong control of the API infrastructure. The attacker can tamper with 512 login attempts and decrypt the codes to recover a user’s RSA private key, the research discovered.
After enough successful logins have been made on targeted account chats, MEGAdrop files, and incoming shared folders could easily be decrypted. MEGA’s chief architect, Mathias Ortmann, stated that the subsequent logins could allow the threat actors to easily decrypt files in the cloud drive.
The Researchers Discover Four Attack Paths
The threat actors can then use the recovered RSA key to create more room for four additional attacks. These include Guess-and-Purge (GaP) Bleichenbacher attack, Integrity Attack, Framing Attack, and Plaintext Recovery Attack,
For the Plaintext Recovery Attack, the threat actors can exploit MEGA to decrypt node keys, which are encryption keys linked to uploaded files usually encrypted with a master key. The node keys can be used to decrypt other files and user communications.
The first attack is another variant of the Adaptive chosen-ciphertext attack. This has been existing since 1998 and was developed by Swiss cryptographer Daniel Bleichenbacher. It gives threat actors exploitation capabilities to decrypt RSA ciphertexts.
For the Framing Attack, the threat actors can use MEGA to plant arbitrary files into the user’s file storage that can be separated from authentic uploaded files.
The Integrity Attack is a less powerful variant of the Framing Attack. It can be exploited to copy a file with the victim’s name and planted it in the target’s storage space.
Each user is assigned a public RSA key which is used by MEGA or other users to encrypt data for the operator. The user also has a private key they utilize when decrypting data shared with them, according to the researchers. As a result, MEGA is capable of decrypting the RSA ciphertexts, although it requires a high number of login attempts.
The Integrity Attack Is The Least Dangerous
Generally, MEGA could be used to weaponize the attacks, but it can also be weaponized by any entity that controls the core infrastructure. This could be done by uploading a lookalike file and decrypting the file as well as other linked folders.
The vulnerabilities are very serious ones since they undermine MEGA’s security protocols to launch an attack on the user’s system. While other vulnerabilities are very severe, the shortcomings related to the breach of integrity can be handled easily. Solutions for such vulnerability are expected in the upcoming release.
The company has also commented on the Bleichenbacher-style attack, which has been termed very serious. According to the firm, despite the high threat of the attack, it is still very difficult to carry out by threat actors. The attack is very challenging to carry out in practice since it would need about 122,000 client interactions on average. Additionally, it would also need the removal of legacy code from all its clients.