We can say that MEGA is one of the most popular cloud storage services. It has more than 250 million users and that means that, in the event of a problem, many may be affected. That is what has happened after what they have found in a report, where they show that it can read user data and thus put privacy at risk.
MEGA can see the saved files
One of the main points when we browse the Internet is privacy. And that’s just something that MEGA has put a lot of emphasis on in recent years. They launched messages indicating that users’ files were fully protected and that as long as we used strong passwords, no one could read what we were storing.
Perhaps what we mentioned has been a key point in reaching the figure of 250 million users and more than 120 billion files that occupy no less than 1,000 petabytes. This service promised that even they could not decrypt these files, so without a doubt, at least on paper, they were perfectly safe.
What has happened now? An independent investigation has analyzed MEGA’s so-called foolproof end-to-end encryption and found that it’s not that foolproof. According to those responsible for this report, the architecture used by the platform to encrypt files has numerous security flaws. That makes it possible for a would-be intruder to perform an attack to retrieve a key when users have logged in a number of times.
These intruders could even decrypt the stored files, thus directly compromising the privacy of users. In addition, they may have the ability to upload content that may be illegal or malicious. Therefore, these researchers warn that the MEGA system does not really protect users against a malicious server and can suffer a series of attacks that, together, compromise the security of the stored files.
Update to fix these issues
This investigation took place last March. They reported the problem directly to MEGA and they quickly started working on it. Last Tuesday they began to implement an update that makes it more difficult to exploit these flaws and decrypt the files that are stored.
But even so, security researchers indicate that this patch only prevents a key recovery attack, but not the problem of password reuse, lack of integrity checks and other identification-related flaws. However, avoiding the main attack makes the others unable to execute, but the bug is still there.
What does this mean? Should an attacker ever find another way to access those vulnerabilities, they would still be there and could be exploited. At the moment they have not been completely corrected and that means that the risk continues to exist, although logically much less after having solved the main bug that exposed the MEGA files.
From MEGA they have released a message indicating that for a short period of time, there has been the possibility that an attacker, in very limited circumstances and against a limited number of users, could put their compromise at risk. They add that this is already solved.
In short, as you have seen, the privacy of MEGA users has been in danger for at least a while. An attacker, under certain circumstances, could decrypt the files that are stored. Using secure storage platforms is very important and although MEGA is, errors of this type can always arise.