Mega receives seven 'low-level' vulnerabilities in €10K crypto challenge

Mega said that it plans to keep the bug-bounty contest open indefinitely
Mega said that it plans to keep the bug-bounty contest open indefinitely

“We believe that it would be premature to draw any conclusions at this time – barely three weeks after our launch and one week into the program,” the company announced in its blog. “It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction.”

Mega said that thus, all of the issues were fixed “within hours.” Those taking the challenge found only severity class IV and below vulnerabilities: “Needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years),” Mega said.

The top end of class IV consists of cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem). Bug hunters found one of these: an invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Other than that, researchers found some cross-site scripting problems. They also found an HTTP Strict Transport Security header to be missing, while an X-Frame-Options header also was missing, causing a clickjacking/UI redressing risk.

The company said that it plans to keep the bug-bounty contest open indefinitely, and there is no deadline for submissions. “We're looking forward to your future submissions, hopefully including some that address higher-level and conceptual issues!” Mega said.

The challenge comes in the wake of several news reports that detailed potential holes in Mega’s cloud storage security mechanisms, which are mainly network- and bowser-based. “The cloud storage market is dominated by players that do not take advantage of cryptography beyond HTTPS and server-side encryption,” wrote Dotcom, in a blog post. “Since we set out to improve this rather dissatisfying situation three days ago, some news outlets have made attempts to dismantle our crypto architecture. Frankly, we were not too impressed with the results and would like to address the points that were raised.”

What’s Hot on Infosecurity Magazine?