Following the launch of the Mega cloud service at the start of this week, a security researcher has found a cryptographic flaw in it that could reveal user passwords.
Steve Thomas is designing a tool dubbed ‘MegaCracker' that would crack hashes embedded into email confirmation links sent from Mega to users as they register for the service.
He said on Twitter that "a hash of your password is in the confirmation code. Cost is 65536 AES/password plus one AES/user. Which is very fast". He also said that he has not yet completed the tool and did not say how dangerous the threat was, as the confirmation emails would need to be intercepted before passwords could be cracked.
Since its launch by Kim Schmitz [AKA Kim Dotcom], the cloud-sharing service has been under the microscope because of its claims of strong security through the use of 128-bit AES encryption and 2,048-bit RSA public and private key infrastructure.
Schmitz was keen to avoid a repeat of the police raid on now seized cloud service MegaUpload, made on the grounds of copyright violation, by ensuring user data was encrypted before it hit Mega servers so the company would lack the keys to decrypt user data.
So far, security flaws including cross-site scripting and problems with random number generation have been discovered in the beta service. Security experts have also flagged problems with the fact that Mega uses a web browser to send encryption information, opening avenues for attackers to intercept keys by breaking SSL or by commandeering Mega's servers, some of which are said to be located in the United States.
Cryptocat creator and cryptography specialist Nadim Kobeissi went as far in his criticism of the site's security that he told Forbes that "it felt like I had coded this in 2011 while drunk".
Yet allegations that Mega's use of deduplication - a function to avoid multiple uploads of a single file - would allow copyright enforcers to determine the names of files uploaded by users were overstated, according to Errata Security founder Robert David Graham.
“They think [deduplication is] impossible without the server knowing how to decrypt the file. It's actually quite possible”, Graham said in a blog.
Mega, he says, trips up because it allows users to check for duplicates using a filename that is cheap on bandwidth but allows copyright enforcers an easy way to snuff out pirated content.
“This will cause [a flood of] millions of hashes trolling for content, and in the end, probably use more bandwidth than it saves,” he said.
Mega's chief technology officer told Venturebeat some of the reported security concerns were overstated, and added Mega was investigating ways to allow users to change the password used to encrypt the AES key.