Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. They have all been responsibly disclosed to MEGA and remediation is underway. Four of the five attacks are eminently practical. We built proof-of-concept versions of all the attacks. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting.
This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients.
MEGA claims to offer user-controlled, end-to-end security. MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data.
0 kommentar(er)
