[HN Gopher] Mega: Malleable Encryption Goes Awry
       ___________________________________________________________________
        
       Mega: Malleable Encryption Goes Awry
        
       Author : tptacek
       Score  : 35 points
       Date   : 2022-06-21 21:09 UTC (1 hours ago)
        
 (HTM) web link (mega-awry.io)
 (TXT) w3m dump (mega-awry.io)
        
       | Shank wrote:
       | > MEGA can recover a user's RSA private key by maliciously
       | tampering with 512 login attempts.
       | 
       | I think this attack is really interesting and novel, but 512
       | login attempts is pretty high. I have a Mega account and I think
       | I've logged in less than 50 times in the entire lifetime of my
       | account, including when it was still controlled by Kim Dotcom. If
       | you're an interesting enough target to use this on, I don't see
       | why the Mega server that delivers the javascript for encryption
       | can't be compromised instead, and just harvest the passphrase
       | when it's submitted to login the first time?
       | 
       | I don't know what you'd have to do to convince someone to login
       | 512 times via social engineering, either. Presumably, a user who
       | is dedicated and uses the service on a daily basis might hit this
       | through normal usage in a year and a half? That's definitely
       | plausible, but how many users are initiating new logins each
       | time? How many will just stay logged into the app and never
       | login?
       | 
       | I guess for some percentage of people (e.g., people who are
       | logging in each time via Tails, and do it twice a day) this
       | attack is acutely viable, but it surely can't be all users.
        
       | collegeburner wrote:
       | Lmao imagine that. However mega brands itself its still mostly a
       | cyberlocker for shady content and of leaks. Nobody uses it for
       | security.
       | 
       | Still interesting research tho.
        
         | azalemeth wrote:
         | I know doctors who have (legally) shared medical images with
         | it, because it offers much more storage than other providers
         | and works everywhere in a browser. It is also far, far better
         | than the "proper" channels. Similarly, I've received work-
         | related files on it from "official big dog" people in "big
         | companies". It's got a following beyond piracy (but because
         | they don't post links online, you probably haven't heard about
         | it as much).
        
         | naniwaduni wrote:
         | Yeah the "attack" is a bit out there when it's broadly assumed
         | that the point of MEGA's encryption isn't to protect users'
         | data, it's to protect _MEGA_ from the insinuation that it might
         | know what data its service is being used to store, much of
         | which is, of course, content that no right-thinking company
         | could store in good conscience. Good thing MEGA can 't know
         | what the users are doing.
         | 
         | Just, I guess, take it under advisement for what designs _don
         | 't_ work if you _actually_ care about protecting user data.
        
       | winterdeaf wrote:
       | This speaks volumes about the need of standardized encrypted
       | cloud storage protocols.
       | 
       | It always surprises me how fragmented the entire space is:
       | Syncthing "untrusted devices" support is still experimental,
       | Nextcloud does support encryption, but it's hard to judge how
       | trustworthy it is. Gocryptfs and ecryptfs should be solid, but
       | they are hard to use in a browser or on mobile. Resilio, Borg,
       | Tarsnap, EteSync -- yet more protocols, and without clear
       | security analyses.
       | 
       | Same holds for commercial cloud operators: support for client-
       | side encryption is starting to appear (Google Drive), but without
       | an open, standardized client you still need to trust software
       | from the cloud provider, which mostly defies the point of
       | encrypting in the first place.
        
       | tatersolid wrote:
       | Reminds me of Telegram's ad-hoc design with so many primitives
       | lashed together without any engineering or analysis. "More
       | crypto" in your implementation is rarely better for security.
       | 
       | This is a great teaching example for the "don't roll your own
       | crypto" proponents.
        
         | winterdeaf wrote:
         | The same research group working on the Telegram MTProto
         | security analysis is behind these attacks on MEGA!
         | 
         | (I should add: disclosure, I work there too.)
        
       | aborsy wrote:
       | I better appreciate the importance of the authenticated
       | encryption with this attack!
       | 
       | The data of 0.25 billion users could quite easily be decrypted by
       | whoever had access to MEGA's systems (including governments and
       | MEGA).
       | 
       | It also shows the importance of open source code. I suspect there
       | are far more vulnerabilities and backdoors in closed source
       | proprietary software.
        
         | [deleted]
        
       ___________________________________________________________________
       (page generated 2022-06-21 23:00 UTC)