Communications of the ACM
Mega Says It Can't Decrypt Your Files. POC Exploit Shows Otherwise
Following the announcement of the research, Mega began rolling out an update that makes it harder to perform the attacks. The researchers warn the patch provides only an "ad hoc" means for thwarting a key-recovery attack and does not fix the key reuse iss
Credit: Aurich Lawson/Getty Images
The cloud storage service Mega has long promised that not even the company can decrypt the data it stores.
However, a new report indicates that Mega's file encryption architecture contains fundamental cryptography flaws that enables attackers to launch full key recovery attacks on users after they have logged in a sufficient number of times.
Attackers can decipher stored files or upload malicious files that appear indistinguishable from user uploaded data.
Said the researchers, "We show that MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files."
The researchers added, "We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability."
Mega has issued an update to make such attacks more difficult, but the researchers said it does not remedy the systemic problems they uncovered.
From Ars Technica
View Full Article
Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA
No entries found