Yet another security researcher is poking holes in the security of Mega, this time by pointing out that the confirmation messages e-mailed to new users can in many cases be cracked to reveal their password and take over their Mega accounts.
Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.
Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.
"Since e-mail is unencrypted, anyone listening to the traffic can read the message," Thomas told Ars. "It makes no sense to send a confirmation link with a hash of your password."
In addition to the ease of intercepting e-mails as they traverse the Internet, the confirmation link could be recovered by government-backed investigators or others with a legal subpoena. Mega officials didn't immediately respond to a request for comment. On its website, the service said MegaCracker is "An excellent reminder not to use guessable/dictionary passwords, specifically not if your password also serves as the master encryption key to all files that you store on MEGA."
A confirmation sent to one Ars reporter looked like this:
https://mega.co.nz/#confirmcEkb58OFjQaYsoK5k9Xtabp_0cOLWlBz73NnnrnHvUh5yD0U2QIAKN6earEfPsRjeXJ1cy5mYXJpdmFyQGFyc3RlY2huaWNhLmNvbQlDeXJ1cyBGYXJpdmFyqskhB4hNfxs
When converted from base64 into an alternate encoding scheme known as hexadecimal, it looks like this:
70491be7c3858d0698b282b993d5ed69ba7fd1c38b5a5073ef73679eb9c7bd4879c83d14d9020028de9e6ab11f3ec463797275732e6661726976617240617273746563686e6963612e636f6d0943797275732046617269766172aac92107884d7f1b
This long string is, in fact, six shorter strings, that include the encrypted master key (70491be7c3858d0698b282b993d5ed69), the AES-hashed user password (ba7fd1c38b5a5073ef73679eb9c7bd48), as well as hashes hexes of the e-mail address (63797275732e6661726976617240617273746563686e6963612e636f6d), user's name (43797275732046617269766172), and two other elements Thomas still hasn't identified.
MegaCracker simply isolates the password hash and provides a platform for cracking it. The program requires crackers to supply their own list of word guesses. With the ability to guess 120 to 600 passwords per second it's a bit on the slow side, although it works faster with a precomputed file. With a bit of tweaking, oclHashcat-plus and other standalone password crackers could probably be used crack the hashes much more quickly.
Thomas said the inclusion of a password hash and encrypted master key is highly unusual in confirmation e-mails. Similar e-mails sent by Netflix, Amazon, Twitter, and other services send links containing a random value that only the receiver and the server know.
An attacker could use MegaCracker to reveal weaker passwords, and then use that passcode to decrypt the encrypted master key. From there, the attacker can take complete control of someone's Mega account and all the encrypted data stored in it.
Thomas is just one of the security researchers who has taken Mega's new service to task. Articles posted in the past 24 hours by Forbes and IDG News advised readers to be wary of the encryption provided by the service. Much of the criticism rests on the reliance of in-the-browser encryption from the SSL (secure sockets layer) protocol, which has been repeatedly bypassed over the years, most recently in late 2012. In its response, Mega officials didn't dispute that claim, writing only: "But if you can break SSL, you can break a lot of things that are even more interesting than MEGA."
Ars' own critique of the encryption package found that it included some puzzling design choices.
Expect to see a steady stream of critiques and fixes in Mega's security hygiene in the coming weeks, as researchers delve in further and Mega engineers respond. As Ars has long counseled, readers would do well to remain highly skeptical of storing anything confidential online unless the encryption has been certified by outside auditors, or at least has been used for a few years with no reports of compromise or serious security flaws.
Update
After this article was published Mega CTO Mathias Ortmann emailed a statement that indicates anyone who chose a weak password when registering their account has been temporarily stuck with the bad passcode. The statement, which is included in its entirety below, also seems to defend the decision to embed sensitive information in the plain-text emails Mega sends users:
Weak passwords that are at risk of being cracked through dictionary attacks or brute-forcing are a huge security risk. It makes no difference whether one attempts to mitigate that fact through security by obscurity or not. UNIX originally had world-readable user password hashes - a design decision that, assuming sufficiently strong passwords, did not jeopardize account security at all. Unfortunately, real users all too often used weak passwords, and the design was changed and obscurity (moving the password hashes to shadow file) added.
In a context where the password not only guards the login process itself, but also serves as the master encryption key to confidential data, obscurity instead of a strong password is simply not good enough.
We will add a password change capability shortly so that anyone who has picked a poor password can rectify that.
Listing image by binaryCoco
reader comments
66