Mega’s security not so mega? New tool reveals passwords stored in confirmation emails
Kim Dotcom’s new cloud storage and file-sharing site Mega is unquestionably a huge hit, racking up registrations like crazy. After an hour the site had received over 100,000 sign-ups, and was up to half a million registered users in the first 14 hours. According to a new tweet from Dotcom, it’s currently seeing 60 uploads a second.
Mega has made a big deal about security and privacy, with the site offering what it calls User Controlled Encryption, or UCE. All files stored on Mega are automatically encrypted, as are data transfers to and from the site. Users hold the keys to their own files so Mega’s staff don’t know what’s being uploading or shared, a move designed to protect the site from the authorities. However, despite all this promising security, it turns out the site may not be quite as safe as billed.
According to cryptography researcher Steve Thomas, a "hash" of the password is included in the confirmation code sent from Mega when a user registers for the service. And this could allow hackers to access user passwords. To prove the point he’s released a tool called MegaCracker which cracks the hashes embedded in the confirmation links.
Of course this means a hacker (or potentially the security services) would need to intercept an email before the password can be cracked, but it’s still a potential issue for the new site.
To use the tool you have to open up a command prompt, follow the instructions in the readme.txt and paste in the hash string from your confirmation email (or from someone else’s email, if you have it).
According to Steve Thomas, "There are at least six things in the confirmation link: encrypted master key (16 bytes), password hash (16 bytes), unknown field (15 bytes?), email address, name, and unknown field (8 bytes?)".
Mega’s security has been under scrutiny since the site launched, and several experts have pinpointed other potential flaws, such as cross site scripting (XSS), and random number generation. Responding to the claims, Kim Dotcom tweeted: "There have been a few wrong reports about our encryption & security. Expect a blog post on #Mega later today".
Photo credit: Mega