Mega: Bug bounty program resulted in seven vulnerabilities fixed so far

Crypographic challenges unsolved, no critical remote code execution flaw reported so far, Mega's creators say

One week after launching a security bug bounty program, the new file-storage and sharing service Mega claims to have fixed seven vulnerabilities, none of which met its highest severity classification.

Since Mega was launched three weeks ago, security researchers pinpointed several security issues with the service, ranging from simple cross-site scripting flaws to alleged weaknesses in its cryptographic model.

Mega's creators dismissed some of the issues as theoretical and asked for practical exploits. To support such efforts, a week ago they launched a vulnerability reward program similar to those run by companies such as Google, Facebook, Mozilla and PayPal, as well as two crypto cracking challenges to prove that their cryptographic implementation is solid.

The company promised rewards of up to ¬10,000 for responsibly reported vulnerabilities that meet the program's qualification requirements. In a new blog post published Saturday, the company said that reported vulnerabilities will be ranked according to severity, with "class I" being the least severe and "class VI" being the most severe.

So far, seven vulnerabilities have been reported and fixed, according to the blog post.

Of those, the most severe vulnerability was an "invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster." This vulnerability was rated class IV, which is assigned to "cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)."

However, this flaw's description matches that of a vulnerability publicly disclosed by a hacker group called fail0verflow on Jan. 23, over a week before Mega set up its vulnerability reward program. At the time the group reported that Mega was using CBC-MAC -- a message authentication code (MAC) algorithm -- with a fixed key to verify the integrity of JavaScript content served from its secondary servers. The group noted at the time that CBC-MAC was unsuitable for this purpose.

Shortly after fail0verflow's report, security researchers from antivirus firm Sophos reported that Mega dropped CBC-MAC in favor of SHA-256, a proper hashing function. In its new blog post Mega notes that that flaw was fixed within hours.

In addition to this vulnerability, Mega's creators claim that three cross-site scripting (XSS) vulnerabilities with a class III severity rating were addressed. Class III flaws are described as vulnerabilities that can be generally exploited to achieve remote code execution inside client browsers (cross-site scripting).

Mega did not publish the names of the researchers who discovered these flaws -- a somewhat unusual practice when compared to other bug bounty programs -- or how much money it paid for each one.

Based on discussions on Twitter, it seems that one of these three XSS vulnerabilities was reported by a security researcher named Frans Rosen. Rosen posted a screen shot of what appears to be his email communication with Mega, suggesting that he received a reward of ¬1,000 for his report.

A fourth XSS vulnerability was also addressed but this was rated as class II because it required the compromise of one of Mega's API (application programming interface) servers or a SSL/DNS man-in-the-middle attack to be successfully exploited.

Two low severity -- class I -- issues have also been fixed, the Mega creators said. They involved the failure to use HTTP Strict Transport Security (HSTS) and X-Frame-Options HTTP headers.

HSTS is a Web security policy mechanism that allows websites to force browsers to communicate over HTTPS (HTTP Secure) and reject the connection if it's redirected over plain, unencrypted, HTTP. The X-Frame-Options header can be used to specify whether a Web page can be loaded inside an iframe on another page and is used to protect against a type of attack known as clickjacking.

Both of these issues have been fixed and, in addition, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome, the Mega creators said.

No class V or class VI vulnerabilities have been reported so far. Class V corresponds to vulnerabilities that could result in remote code execution or access control violations on Mega's main servers and class VI is reserved for fundamental flaws in the service's cryptographic implementation.

The two cryptographic cracking challenges that Mega launched last week have not yet been solved, prompting Mega's creators to boast: "please check back in a few billion billion years."

"Whatever you think of Mega, its founder, its raison d'etre, its bombasticity and even the value of the bounties its offering, it nevertheless reflects to the company's credit that it came out with the bounties at all," said Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos antivirus, Monday in a blog post.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchessophosInternet-based applications and servicesMegaonline safetysecurityExploits / vulnerabilitiesinternet

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?