"Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service"

Researchers at ETH Zurich found a number of critical security vulnerabilities in the MEGA cloud storage service that could allow malicious actors to break the confidentiality and integrity of user data. The researchers explain how MEGA's system does not protect its users against a malicious server, allowing a rogue actor to fully compromise the privacy of the uploaded files. In addition, the integrity of user data is damaged to the extent that an attacker can insert malicious files that pass all authenticity checks of the client. Among the flaws is an RSA Key Recovery Attack, which allows MEGA or a resourceful nation-state adversary in control of its Application Programming Interface (API) infrastructure to recover a user's RSA private key and decrypt the stored content. The recovered RSA key can then be extended to make way for plaintext recovery attacks, framing attacks, integrity attacks, and Guess-and-Purge (GaP) Bleichenbacher attacks. The attacks demonstrate that a motivated party can find and exploit vulnerabilities in real-world cryptographic architectures with disastrous security consequences. This article continues to discuss the ETH Zurich researchers' study on ways to break MEGA's encryption. 

THN reports "Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service"