Mega cloud with security vulnerabilities | TechBuzz

- Advertisement -

A team of cryptographers from ETH Zurich has extensively tested the cloud service from the New Zealand provider Mega. Security gaps were discovered that allow the provider to decrypt and manipulate customer data.

“Mega – The most trusted, best-protected cloud storage” is how the New Zealand cloud service provider Mega advertises its services. Like many providers of cloud solutions, Mega also promises that not even the company itself can view or change the stored data of the customers.

It is not primarily a question of whether customers trust the provider, but also that large IT service providers with millions of customers and billions of stored files, such as Mega, are inevitably targeted by secret services, governments or people with criminals intentions advised. “You can’t rule out the possibility of a large cloud provider having its systems compromised,” says ETH Professor Kenneth Paterson. “In addition, it also happens again and again that providers work together with government organizations.” It is all the more important that only customers can decrypt their cloud data.

ETH cryptography expert Matilda Backendal and her colleague Miro Haller tested Mega’s encryption together with Paterson and found serious security gaps. These enable the provider – or third parties who gain access to Mega’s servers – to decrypt customer data, to change it or to place specific data on the customer’s memory.

Basic vulnerability: One key for everything

- Advertisement -

Paterson and his team analyzed the source code of the New Zealand software and found several critical vulnerabilities. To test the effectiveness of the attacks, they partially recreated the New Zealanders’ platform and attempted to attack the researchers’ personal accounts.

READ  Review: StarTech's first Thunderbolt 4 dock delivers 8K display support and future-proof I/O | TechBuzz

If a user accesses their mega account, the user’s private RSA key can be stolen within a maximum of 512 login processes by manipulating the session ID. This key is used to exchange data. Additional manipulation of the mega software on the victim’s computer can cause the affected user account to automatically log in again and again. This shortens the time it takes for the key to be fully disclosed to just a few minutes.

Since the keys for file encryption, among other things, are protected in the same way, the attackers can also disclose all other keys based on the knowledge from the first attack.

Steal data, manipulate it or upload it yourself

- Advertisement -

Now the attackers have complete access to the unencrypted user data and can copy and manipulate it. An additional attack variant even makes it possible to upload arbitrary data to the victim’s cloud drive. Thus, the perpetrators can scam or blackmail the victim by inserting controversial, illegal, or compromising material into their file storage. The victim, in turn, has no chance to prove that they did not upload the material themselves.

The ETH researchers have disclosed the vulnerabilities found to Mega. “In addition, we provided Mega with a three-step action plan that outlines how the vulnerabilities could be remedied,” Paterson said. In a first phase, the team recommended a set of immediate actions that protect users from the most serious security issues.

The second phase provides more extensive changes to mitigate attacks more efficiently without making costly changes like data re-encryption. The third phase includes long-term goals for the redesign of the cryptographic architecture. “However, the company took different actions than those we proposed,” says Paterson. However, they are able to prevent the first attack – i.e. the one on the RSA key.

This article first appeared on ETH News.
- Advertisement -

Source link

- Advertisement -
I am admin of blog & I provide tech-related news. As a part of my hobby, I make content related to technology and gadgets reviews too. I love to be a content creator apart from it, I am a full-time employee in an MNC company and manage blogs systematically. You can mail me at [email protected]

More from author

Related posts


Latest posts

Kingsman 3: start of filming in 2023? | TechBuzz

Director Matthew Vaughn's third Kingsman movie is set to conclude the story arc of character Gary "Eggsy" Unwin, aka Galahad, played by Taron Egerton....

Revolution from Revuto: Lifetime subscriptions to Netflix and Spotify available to users for the first time | TechBuzz

By using advanced technology, Revuto by selling NFT enables users to have a lifetime subscription to their favorite streaming services with a stable price...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!