![]() While MEGA apparently “decided to react in ways that are different than what we suggested,” according to the researcher, the initial attack vector on the RSA key has now been patched. ![]() Paterson said the team reported its findings to MEGA on March 24 and proposed ways to resolve the security holes. Potential post-attack vectors could include stealing user data or even uploading files – such as illegal or compromising images and video – locking up the account, and then blackmailing the targeted individual. It then may be possible to compromise other keys used on the MEGA platform. “This shortens the time needed to fully reveal the key to just a few minutes.” “An additional manipulation of the MEGA software program on the computer of the victim can force their user account to constantly log in automatically,” the researchers said. This permits integrity attacks, RSA key and plaintext recovery attacks, and establishes an RSA decryption attack vector.Ĭatch up on the latest cloud security-related newsīy hijacking only a session ID, it takes a maximum of 512 login attempts to break into a MEGA account. This key is then used to encrypt other key material, files, and more.Ī lack of integrity protection of ciphertexts containing keys breaks the confidentiality of the master key and overall encryption system, according to the researchers. Encryption crackedĪfter recreating part of the MEGA platform and attempting to brute-force their own accounts, the team says they found that using one main key represents a “fundamental” weakness in the service.Ī paper (PDF) describing the flaw says that the MEGA client derives an authentication key from a user’s password. However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary.ĮTH Zurich cryptography researchers Matilda Backendal, Miro Haller, and Professor Kenneth Paterson analyzed MEGA’s source code and cryptographic architecture, uncovering a total of five vulnerabilities. “MEGA does not have access to your password or your data.” “All your data on MEGA is encrypted with a key derived from your password in other words, your password is your main encryption key,” the organization says. The company calls itself a “zero-knowledge” encryption service built with “privacy by design”. MEGA also allows users to make audio and video calls. MEGA claims that its storage service is private by design, but according to researchers, the technology is beset with “serious” security issues.īased in New Zealand, MEGA is a cloud storage service and messaging platform that offers end-to-end encryption to more than 250 million users. Note: With no checked countries here, half the money will be a bank loan.ETH Zurich finds flaws in the firm’s cryptographic infrastructure The check byte turned out to simply be the sum of the other bytes mod 32. The first is the check byte, the seven next are location bit flags (full of As early on), and the last four are the money (in thousands). The passwords consist of eleven characters, from a set of 32 letters and numbers. The next password was also full of As, but slightly different. When I sold my first park, the password was full of As. ![]() Here's some javascript for making passwords for Bullfrog's Theme Park for the Sega Mega Drive.Ī bit of background: I played it recently, first time in 12 or so years. Theme Park password generator (Sega Mega Drive/Genesis) Theme Park password generator
0 Comments
Leave a Reply. |