Dotcom's Mega security bugs detailed

By on
Dotcom's Mega security bugs detailed

Cloud storage service Mega has released details of the first wave of vulnerabilities identified under its bug bounty program.

Founder Kim DotCom launched the program earlier this month and offered a maximum $13,000 to those who could break the site's security. 

Bugs are classified from severity six which include "fundamental and generally exploitable cryptography design flaws" down to level one encapsulating "all lower-level impact or purely theoretical scenarios".

The most severe of the reported vulnerabilities is an "invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster" which led only to man-in-the-middle risks, a Mega blog post read.

Other flaws relate to cross site scripting and bad headers.

"It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction," the blog post stated, adding that Mega's cryptographic brute-force challenges have not been cracked: "please check back in a few billion billion years". 

Mega chief technology officer Mathias Ortmann said the vulnerable Flash file was taken down while the fix was developed.

"After the ZeroClipboard debacle, we should have known better, but our ActionScripter was not instructed properly," Ortmann said.

Detectify security researcher Frans Rosen scored $1300 for XSS vulnerabilities related to flash files.

"One of the Flash files [sent] over unsanitised parameters back to the JavaScript and as soon as I had that I was able to inject some exploit code and [create] an attack vector executing JavaScript code on their platform," Rosen said.

"Mega has a limited amount of vectors to inject into: you have files to upload, directories for the files and your account information.

"Mega right now could isolate quite good because they have limited [attack] vectors but right now they are launching (social media platform) Megabox … which creates a lot of new vectors."

He says Mega's public boasting that it has a strong security posture encourages researchers to hunt for bugs.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
bug bounties detectify exploits mega security vulnerabilities xss

Partner Content

Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?