MEGA: Malleable Encryption Goes Awry

Mega ha una vulnerabilità nel loro sistema di crittografia dei dati

L’attacco è molto poco probabile (e  cmq. il livello di confidenzialità è superiore alle alternative).

Mega ha fatto delle modifiche per limitare ulteriormente il rischio, e altre ne faranno.

Source: Mega-Awry

We contacted MEGA to inform them of the vulnerabilities in their system and to suggest three different levels of mitigation (immediate, minimal, and recommended) on March 24, 2022. MEGA acknowledged the attacks, confirmed that the system is vulnerable and needs patching, and awarded us a bug bounty. We agreed to a 90-day disclosure window.

…MEGA decided to introduce additional client-side checks on the format of RSA private keys to protect against our first attack. They are explained in more detail in MEGA’s blog post. While these checks directly prevent the RSA key recovery attack, and hence by extension the attacks that depend on it, this fix significantly differs from our proposed countermeasures.

Continua qui: MEGA: Malleable Encryption Goes Awry

If you like this post, please consider sharing it.

Leave a Comment

Your email address will not be published. Required fields are marked *