Mega's Security Appears To Be Surprisingly Bad

from the trial-by-fire dept

We were a little skeptical of Kim Dotcom's new Mega cloud storage offering, in part because the claims of security and privacy seemed somewhat dubious upfront. We didn't see how it would be reasonably possible to do everything the service claimed it was doing in a manner that really kept the data secret. And, indeed, it has not taken long for security researchers around the globe to raise questions. Right away there were significant questions about the security design choices, including some questions about how random the random key generation really was, as well as significant concerns about Mega's claims that it offered deduplification (if things were really encrypted correctly, there would be nothing to deduplicate).

While Mega has responded to some of those criticisms, a whole host of other security questions have been raised, leading cryptographer Nadim Kobeissi to tell Forbes: "Quite frankly it felt like I had coded this in 2011 while drunk." A big part of the problem is that, by doing everything in the browser, you're really still trusting Mega, even as Mega implies that you have full control over the encryption.

And, then comes the news that when you first sign up, while Mega hashes your password, it sends you an email that includes the hash in plain text along with other data, such that one hacker has already released a tool to extract passwords from Mega's confirmation emails:
Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.
Users still need to crack the hashed password, but that's a relatively easy brute force effort, especially for those who use weaker passwords (i.e., most people). There are, of course, much more secure ways of handling this, such as not including the plain text hash in the email.

All that said, many of these problems can be fixed, but when your whole pitch to the public is about how secure and private you are -- and some have been falsely implying that such a system allows individuals to avoid copyright infringement claims -- it seems reasonable to suggest that better security should be in place from the beginning.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, kim dotcom, privacy
Companies: mega


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Hephaestus (profile), 23 Jan 2013 @ 10:13am

    "including some questions about how random the random key generation really was, as well as significant concerns about Mega's claims that it offered deduplification"

    The deduplication can be something as simple as a CRC checksum being generated pre-encryption. If they use a one way hash on it, generate a distinct hash key per user, and only link that to the specific users account. I do not see a problem.

    If however this is system wide deduplication, it opens them up to more of the same DOJ BS they were nailed with before.

    link to this | view in chronology ]

    • icon
      Jeremy Lyman (profile), 23 Jan 2013 @ 11:43am

      Re:

      I read a comment at ARS that tried to explain the dedup in a sharing context. If you upload a file and share it with a friend, it wouldn't be physically copied and encrypted again into his Mega account. His account would just possess the key required to access that original file, and so on as it is shared.

      I'm not sure if that's really what Mega is referring to, or if they're doing some pre-encryption analysis, but it seems a lot more reasonable and less intrusive to me.

      link to this | view in chronology ]

      • identicon
        PRMan, 23 Jan 2013 @ 1:13pm

        Re: Re:

        I have also seen discussed a method whereby the hash of the data of the file is the key to encrypt the file. Therefore, the same file always looks the same, even encrypted, but there is still no way to tell what it is without the key.

        Using this method, they could do deduplication, but still not know what they have.

        link to this | view in chronology ]

    • icon
      AdamF (profile), 23 Jan 2013 @ 11:44am

      Re:

      The problem with deduplication is that if somebody provides Mega with a file, Mega is able to determine which users have uploaded that same file. So it is not an issue if you are uploading family pictures or personal documents, but it is an issue if you are uploading anything from the internet.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Jan 2013 @ 12:41pm

      Re:

      I do not see a problem.


      The problem would be collisions. A checksum (or a hash) is not guaranteed to be unique to a given dataset. if two different datasets happen to result in the same checksum or hash, then the deduplication will catastrophically fail.

      link to this | view in chronology ]

  • icon
    Rikuo (profile), 23 Jan 2013 @ 11:25am

    Earlier today, I went on to a forum I'm a member of, where users can put up links to anime episodes on cyberlockers. Someone had uploaded an episode to the new Mega, and so, I thought I'd give it a try. I thought that, what with all the talk about need keys to decrypt, that I would at best just get an encrypted mess of garbage. Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom (which by the way, I'm mightily confused over: why the fuck is he still abiding by it, given that he's arranged things so that he has no US presence or connections at all?).

    link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 23 Jan 2013 @ 11:29am

      Re:

      Turns out the key was enabled in the link, so as far as I can understand: just like with MU, all a copyright holder needs is the link, so that they can fire off a DMCA to DotCom

      When you generate a link it can include the key in the link or you can deliver the key separately. But for sharing things on a widespread nature, you're always going to include the key -- which was the point we raised in our original article about this, and why the talk of encryption is sort of overhyped.

      link to this | view in chronology ]

      • icon
        Rikuo (profile), 23 Jan 2013 @ 11:31am

        Re: Re:

        Yeah, I can only imagine what it would be like having to answer emails all day asking for the decrypt key...sorta like what would happen in a world that obeyed copyright perfectly, except instead of giving a key, you're giving permission (which is basically the same thing).

        link to this | view in chronology ]

      • icon
        JWW (profile), 23 Jan 2013 @ 12:05pm

        Re: Re:

        It would be great if the terms of service for the website forbid any officers or officials at MPAA or RIAA companies from using the keys.

        That way, they'll never be able to tell if copyrighted material has been uploaded to Mega without being in violation of the sites terms and conditions.

        Then we can get the feds to throw the book at the RIAA and MPAA for hacking Mega!!!

        link to this | view in chronology ]

        • icon
          DannyB (profile), 23 Jan 2013 @ 12:44pm

          Re: Re: Re:

          The problem with that is that the feds are a wholly owned subsidiary of Hollywood.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 23 Jan 2013 @ 2:20pm

            Re: Re: Re: Re:

            No, the problem with that is that the Feds are a Hollywood parody of actual LEOs.

            link to this | view in chronology ]

  • identicon
    Lord Binky, 23 Jan 2013 @ 11:30am

    This is done to remove their knowledge of the content being stored.

    The intent is not about preventing anyone from unencrypting the data.

    Under the DMCA, circumventing ANY protection is illegal, no matter how trivial the protection is. To Identify if the content is legal, then an entity has to break the law without the encryption key. So sending a take down notice would be admitting you broke the law without thorough documentation how you gained access to the content.

    They are trying hide behind the same laws that are used against them. Exactly how the game is played.

    link to this | view in chronology ]

    • identicon
      Lord Binky, 23 Jan 2013 @ 11:36am

      Re:

      All it really needs is a tool that cracks the encryption in under a minute, and then the uploader shares the link and not the shared key.

      Most people could download and crack the trivial encryption, which would be illegal but of no significance to most people. That would be significant for ordinary take down notice groups though, especially troublesome when things go to court.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Jan 2013 @ 11:44am

      Re:

      Hadn't thought of it that way, but I would say that it does have a certain irony in it.

      link to this | view in chronology ]

      • identicon
        Kenneth Michaels, 23 Jan 2013 @ 12:23pm

        Not really, according to the DMCA

        This would be a clever use of the encryption, but it doesn't jive with the law.

        Pirates could decrypt/crack the content without violating the anti-circumvention portion of the DMCA. The DMCA defines “effectively control[ing] access to a work” to be controlling access to a work *with the authority of the copyright owner.* So, the encryption added to a copyrighted work (not owned by Mega or the user) would not be with the authority of the copyright owner.

        On the other hand, the copyright owner can also decrpyt his own work without violating the anti-circumvention part of the DMCA. Also, the DMCA defines to “circumvent a technological measure” to be to circumvent *without the authority of the copyright owner.* So, the copyright owner can always circumvent any DRM on his own work.

        link to this | view in chronology ]

        • identicon
          Lord Binky, 23 Jan 2013 @ 12:29pm

          Re: Not really, according to the DMCA

          So every time they decrypt something that is not owned by them they are still breaking the law?

          link to this | view in chronology ]

        • identicon
          Lord Binky, 23 Jan 2013 @ 12:34pm

          Re: Not really, according to the DMCA

          Doesn't proving they KNEW for a fact it was theirs and they would not be violating a law also provide a great argument point for lawyers?

          Making life hell for each other is the driving force behind all this crap anyways, so it seems it would still achieve that point fairly well.

          link to this | view in chronology ]

    • icon
      Zakida Paul (profile), 23 Jan 2013 @ 11:47am

      Re:

      Very much this. The encryption is not so much about user privacy or security as it is about using the law in his own favour.

      Quite a clever move, I must say.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Jan 2013 @ 12:03pm

      Re:

      It would take a special kind of plaintiff to see that actually tested though.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2013 @ 11:38am

    Apparently, their service only works if it can write files from JavaScript and is thus unusable in anything other than Chrome. As long as that's the case it will never reach the popularity of the old Megaupload.

    link to this | view in chronology ]

    • identicon
      Kenneth Michaels, 23 Jan 2013 @ 12:29pm

      Re: Google Driving Piracy

      So, Mega.co.nz only works with Google's Chrome browser. Once again, we see that Google is driving piracy. Google is the parasitic piracy leader, stealing copyrighted works and serving them to the world against their ads.

      link to this | view in chronology ]

      • icon
        Suzanne Lainson (profile), 24 Jan 2013 @ 10:18pm

        Re: Re: Google Driving Piracy

        This came out a few days ago, but I am only now getting around to reading it.

        Dotcom: Now I'm After Google | Stuff.co.nz: "'Right now Google is linking to all this content and even though Google is a great company and I love them and their attitude, Google is the largest index of pirated content in the world and they don't pay any licence holder and they are in business and they are doing really well,' he said.

        "'So if my software can force companies like Google to pay their little share to content creators, it wouldn't really hurt them.'"

        link to this | view in chronology ]

        • identicon
          F!, 24 Jan 2013 @ 10:57pm

          Re: Re: Re: Google Driving Piracy

          Somehow I'd missed that article too, thanks for sharing.

          What caught my eye:
          "He also repeated his willingness to help make a second undersea fibre cable from New Zealand to America a reality. However, he said it would be better placed into Panama rather than the US."

          This raises a good point - if connecting to/through the USA can be at all avoided, by all means go through somewhere else. Panama doesn't like taking orders from the USA, so that may help protect from any filtering traffic would be subject to when routed through the USA.

          link to this | view in chronology ]

    • identicon
      F!, 24 Jan 2013 @ 11:07pm

      Re:

      What are you talking about? That sentence is pure gobbledygook. I realize I'm talking to an AC, but source please?

      link to this | view in chronology ]

  • icon
    BentFranklin (profile), 23 Jan 2013 @ 11:45am

    You could solve the problem of trusting their encryption by encrypting with yours first, but that was always the case.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2013 @ 12:27pm

    Dotcom has put out a challenge. check the post on Torrentfreak

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2013 @ 1:19pm

    Mega has a response to the issues raised.

    https://mega.co.nz/#blog_3

    link to this | view in chronology ]

  • identicon
    Ann Onymous, 23 Jan 2013 @ 1:50pm

    I just want to point out that brute forcing the AES "hash" is not easy. They use 65536 iterations of the full AES block cipher. Even on Ivy Bridge CPUs with dedicated AES hardware, you still only get about 4500 guesses per second. If you use a random [a-zA-Z0-9]{10} password, it would take ~591,000 of these Ivy Bridge CPUs to crack it within 10 years. Good password hygiene and adhering to good sense should keep you safe from MegaCracker.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2013 @ 3:53pm

    This is fascinating and all, but does it matter to me, the standard Mega user? All I care is that it's Megaupload 2: The Reuploading. It'll last for a few years, and then it'll get taken down again; until then, I have a place to share materials that are probably illegal somewhere for some reason or the other. When it gets taken down, someone else will have something new for me to use.

    If Megaupload users didn't get sued when Megaupload got taken down, what do we care how secure Mega is? It sounds to me like encryption is just a way to give Mega some legitimacy, which it will never have, and it's giving me some real cognitive dissonance headaches here. This is the wild west, and while someday the law might clean up the mexican standoffs, we'll have found an entirely new medium by then.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2013 @ 4:33pm

    Perhaps a bit early for this reaction?

    We don't actually know for certain they will do any deduplication, or even that they are capable of it - we only know that their T&C reserves the right to do it.
    A fairly big leap.

    The password hash in email is a concern (although perhaps not a massive one), but doesn't seem to be nearly enough to say "Mega has bad security."

    Over the top, and too early.

    link to this | view in chronology ]

  • identicon
    F!, 23 Jan 2013 @ 10:46pm

    Mega's Response

    Mega has issued a response to the allegations (as previously pointed out by the AC above):
    https://mega.co.nz/#blog_3

    In the end, Mega remains far more secure than virtually all major cyber-lockers (e.g. DropBox, which is a security minefield) due to the fact that they are encrypting everything by default. Keep in mind though, they are doing it primarily for their own protection rather than their user's. The fact that it helps protect the user as well is just the icing.

    Basically the allegations boil down to astroturfing by people with an agenda against Kim and/or Mega. If you're really worried about it, encrypt everything on your end before adding Mega's layer of security.

    Of course everyone is already doing the right thing and encrypting everything anyway... RIGHT!?

    link to this | view in chronology ]

  • icon
    Ninja (profile), 24 Jan 2013 @ 2:47am

    I think it'll evolve with time. As for mailing the keys, well you should be protecting your e-mail too so I don't really see a problem here...

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.