Sign In

Communications of the ACM

ACM TechNews

Mega Says It Can't Decrypt Your Files. POC Exploit Shows Otherwise

View as: Print Mobile App Share:

Following the announcement of the research, Mega began rolling out an update that makes it harder to perform the attacks. The researchers warn the patch provides only an "ad hoc" means for thwarting a key-recovery attack and does not fix the key reuse iss

Credit: Aurich Lawson/Getty Images

The cloud storage service Mega has long promised that not even the company can decrypt the data it stores.

However, a new report indicates that Mega's file encryption architecture contains fundamental cryptography flaws that enables attackers to launch full key recovery attacks on users after they have logged in a sufficient number of times.

Attackers can decipher stored files or upload malicious files that appear indistinguishable from user uploaded data.

Said the researchers, "We show that MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files."

The researchers added, "We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability."

Mega has issued an update to make such attacks more difficult, but the researchers said it does not remedy the systemic problems they uncovered.

From Ars Technica
View Full Article


Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account