We also invite vendors of third-party client software to upgrade to the latest MEGA SDK, and those who maintain their own MEGA API client implementation, to add an equivalent fix.”, according to the security update released by MEGA. “We urge all users who are logging in frequently to upgrade their MEGA app as soon as possible. Users are recommended to upgrade the client software on all devices and then convert their account to a new, backward-incompatible, format. Researchers noted that even if a provider’s API servers become controlled by an adversary, the encrypted user data should never be readable by the attacker – not even after 512 logins.įurthermore, the folder links are not integrity-protected and carry the required meta AES key, and the mechanics underpinning the MEGAdrop feature could be leveraged. The issue is in the legacy chat key exchange mechanism.Insert arbitrary files into a user’s account.Privacy and integrity of all stored data and chats are being destroyed.After a minimum of 512 such logins, the collected information enabled the attacker to decrypt parts of the account and also leverage further logins to successively decrypt the remainder of it.Incrementally accumulate some information every time a MEGA user logs in.Five Attacks Identified by the Researchers The Identified Vulnerabilities In addition, files could have been placed in the account that appears to have been uploaded by the account holder (a “framing” attack).Ī team of researchers from the Applied Cryptography Group at the Department of Computer Science, ETH Zurich, reported a total of five vulnerabilities in MEGA’s cryptographic architecture. Files in the cloud drive could have been successively decrypted during subsequent logins. When a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files, and chats could have been decryptable.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |