MEGA, a cloud storage and file hosting service, takes great pride in its end-to-end encryption. It claims that it could not decrypt your saved files even if it wanted to.
But there’s a catch. A Swiss study team has just proven those statements false.
It’s not everything. The study went one step further, discovering that an attacker could insert harmful files into the storage while passing all of the client’s authentication checks.
When reviewing MEGA’s security, researchers from the Department of Computer Science of the ETH Zurich in Zurich, Switzerland, discovered serious problems with how it employs cryptography.
These discoveries may pave the way for devastating assaults on the integrity and confidentiality of user data stored in the MEGA cloud.
The password is used by the MEGA client to generate both an authentication key and an encryption key. Users are recognized by MEGA using the authentication key. The encryption key encrypts the master key, which in turn encrypts the user’s other key material. An RSA key pair for data sharing, a Curve25519 key pair for exchanging chat keys for MEGA’s chat capability, and an Ed25519 key pair for signing the other keys make up each account’s set of asymmetric keys.
Additionally, the client creates a new key for each file or folder that the user uploads (referred to as nodes collectively).
To cut a long story short, the password serves as the source of all keys in some way. In order to facilitate access from many devices, MEGA’s servers also store all of the keys.
Ciphertext is plaintext that has been encrypted using a cryptographic algorithm. The researchers created two attacks based on the fact that ciphertexts containing keys are not protected from integrity attacks, and they also created two additional attacks to compromise the integrity of file ciphertexts and enable a malicious service provider to add selected files to a user’s cloud storage.
A malicious service provider can retrieve a user’s private RSA share key (used to share file and folder keys) across 512 login attempts as a result of the integrity protection’s flaws. The reason the value is 512 is because MEGA clients built an oracle using the RSA-CRT implementation, which leaks one bit of data per login attempt about a factor of the RSA modulus.
The malevolent service provider can therefore decrypt any plaintext that has been AES-ECB encrypted using a user’s master key. All node keys used to encrypt files and folders are included in this. As a result, any user data secured by these keys, including files and chat messages, lose their confidentiality.
An encrypted file can be created by a malicious service provider using the results of the prior two attacks. The files and keys are identical to legitimately uploaded ones, making it impossible for the user to prove they weren’t uploaded in error. It goes without saying that adding a malicious file to the assault could further compromise not only the user’s system but also the systems of everyone with whom the user has shared files or folders.
Response from MEGA
On March 24, 2022, MEGA acknowledged the problem. On June 21, 2022, updates were made available, and the researchers received a bug bounty. In contrast to what the researchers suggested, MEGA’s fix only addresses the initial assault since all subsequent attempts rely on it.
This still worries the researchers because it does not address the key reuse problem, the lack of integrity checks, and other systemic issues they uncovered.
There is no need to be concerned if you are a regular MEGA member and haven’t logged in more than 512 times. To carry out any of these attacks, an attacker would need to be in complete command of MEGA’s API servers or TLS connections without being detected.