Kim Dotcom's Mega details first wave of security bugs

Powered by SC Magazine

Netted through bug bounty program.

Cloud storage service Mega has released details of the first wave of vulnerabilities identified under its bug bounty program.

Founder Kim DotCom launched the program earlier this month and offered a maximum $13,000 (10,000 euros) to those who could break the site's security. 

Bugs are classified from severity six which include "fundamental and generally exploitable cryptography design flaws" down to level one encapsulating "all lower-level impact or purely theoretical scenarios".

The most severe of the reported vulnerabilities is an "invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster" which led only to man-in-the-middle risks, a Mega blog post read.

Other flaws relate to cross site scripting and bad headers.

"It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction," a blog post stated, adding that Mega's cryptographic brute-force challenges have not been cracked: "Please check back in a few billion billion years". 

Mega chief technology officer Mathias Ortmann said the vulnerable Flash file was taken down while a fix was developed.

"After the ZeroClipboard debacle, we should have known better, but our ActionScripter was not instructed properly," Ortmann said.

Detectify security researcher Frans Rosen scored $1300 for XSS vulnerabilities related to flash files.

"One of the Flash files [sent] over unsanitised parameters back to the JavaScript and as soon as I had that I was able to inject some exploit code and [create] an attack vector executing JavaScript code on their platform," Rosen said.

"Mega has a limited amount of vectors to inject into: you have files to upload, directories for the files and your account information.

"Mega right now could isolate quite good because they have limited [attack] vectors but right now they are launching (social media platform) Megabox … which creates a lot of new vectors."

He said Mega's public boasting that it has a strong security posture encouraged researchers to hunt for bugs.

Copyright © SC Magazine, Australia

Kim Dotcom's Mega details first wave of security bugs
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx