"This means that if the preconditions for the other attacks are fulfilled in some different way, they can still be exploited," the researchers wrote in an email. With the researchers' precise key-recovery attack no longer possible, the other exploits described in the research are no longer possible, either, but the lack of a comprehensive fix is a source of concern for them. But the researchers warn that the patch provides only an "ad hoc" means for thwarting their key-recovery attack and does not fix the key reuse issue, lack of integrity checks, and other systemic problems they identified. We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability."Īfter receiving the researchers' report privately in March, Mega on Tuesday began rolling out an update that makes it harder to perform the attacks. "Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. "We show that MEGA's system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files," the researchers wrote on a website. With that, the malicious party can decipher stored files or even upload incriminating or otherwise malicious files to an account these files look indistinguishable from genuinely uploaded data. The authors say that the architecture Mega uses to encrypt files is riddled with fundamental cryptography flaws that make it trivial for anyone with control of the platform to perform a full key recovery attack on users once they have logged in a sufficient number of times. Research published on Tuesday shows there's no truth to the claim that Mega, or an entity with control over Mega's infrastructure, is unable to access data stored on the service. Third-party reviewers have been all too happy to agree and to cite the Mega claim when recommending the service. Even in the exceptionally improbable event MEGA's entire infrastructure is seized!" (emphasis added). In it, the company claims, "As long as you ensure that your password is sufficiently strong and unique, no one will ever be able to access your data on MEGA.
Over the years, the company has repeatedly reminded the world of this supposed distinction, which is perhaps best summarized in this blog post.
0 kommentar(er)
