The issue is in the legacy chat key exchange mechanism.Insert arbitrary files into a user’s account.Privacy and integrity of all stored data and chats are being destroyed.After a minimum of 512 such logins, the collected information enabled the attacker to decrypt parts of the account and also leverage further logins to successively decrypt the remainder of it.Incrementally accumulate some information every time a MEGA user logs in.Five Attacks Identified by the Researchers The Identified Vulnerabilities
In addition, files could have been placed in the account that appears to have been uploaded by the account holder (a “framing” attack).Ī team of researchers from the Applied Cryptography Group at the Department of Computer Science, ETH Zurich, reported a total of five vulnerabilities in MEGA’s cryptographic architecture. Files in the cloud drive could have been successively decrypted during subsequent logins. When a targeted account had made enough successful logins, incoming shared folders, MEGAdrop files, and chats could have been decryptable. The researchers say an attacker would have gained control over the heart of MEGA’s server infrastructure or achieved a successful man-in-the-middle attack on the user’s TLS connection to MEGA.
0 kommentar(er)
