We can say that MEGA It is one of the most popular cloud storage services. It has more than 250 million users and that means that, in the event of a problem, many may be affected. That is what has happened after what they have found in a report, where they show that it can read user data and thus put privacy at risk.
MEGA can see the saved files
One of the main points when we browse the Internet is privacy. And that’s just something that MEGA has put a lot of emphasis on in recent years. They launched messages indicating that the users’ files were fully protected and that as long as we used strong passwords, no one could read what we are storing.
Perhaps this that we mentioned has been a key point to reach the number of 250 million users and more than 120 billion files that occupy no less than 1,000 petabytes. This service promised that even they could not decrypt these files, so without a doubt, at least on paper, they were perfectly safe.
What has happened now? An independent investigation has analyzed MEGA’s so-called foolproof end-to-end encryption and found that it’s not that foolproof. According to those responsible for this report, the architecture used by the platform to encrypt files has numerous security flaws. That makes it possible for a would-be intruder to perform an attack to retrieve a key when users have logged in a number of times.
Those intruders could reach decrypt stored files, so it directly compromises the privacy of users. In addition, they may have the ability to upload content that may be illegal or malicious. Therefore, these researchers warn that the MEGA system does not really protect users from a malicious server and can suffer a series of attacks that, together, compromise the security of the stored files.
Update to fix these issues
This investigation took place on last march. They reported the problem directly to MEGA and they quickly started working on it. Last Tuesday they began to implement an update that makes it more difficult to exploit these flaws and decrypt the files that are stored.
But even so, security researchers say that this patch only prevent a key recovery attack, but not the problem of password reuse, lack of integrity checks, and other identification-related flaws. However, avoiding the main attack makes the others unable to execute, but the bug is still there.
What does this mean? Should an attacker ever find another means of accessing those vulnerabilities, they would still be there and could be exploited. At the moment they have not been completely corrected and that means that the risk continues to exist, although logically much less after having solved the main bug that exposed the MEGA files.
From MEGA they have released a message indicating that for a short period of time, there has been the possibility that an attacker, in very limited circumstances and against a limited number of users, could put their compromise at risk. They add that this is already solved.
In short, as you have seen, the privacy of MEGA users has been in danger for at least a while. An attacker, under certain circumstances, could decrypt the files that are stored. Using secure storage platforms is very important and although MEGA is, errors of this type can always arise.