MEGA hack challenge turns up 7 security flaws so far

MEGA hack challenge turns up 7 security flaws so far
Kim Dotcom will be paying out to hackers.

He offered hackers up to €10,000 per successful hack or exposure of security vulnerabilities with his new MEGA service. The actual amount paid out will depend on the severity rating of the security issue that is identified by the contestant.



There are six "severity class" vulnerabilities that hackers can aim at, with low impact or "purely theoretical scenarios" being at one end of the spectrum - class I - and more serious exploitable cryptographic design flaws at the other end - class VI.

The results show that so far, seven flaws have been identified with the MEGA service's security. They include two Class I flaws, one Class II flaws, three Class III flaws and one Class IV flaws. There were no Class V or VI flaws.

Here are the details...

Class I vulnerabilities:
  • HTTP Strict Transport Security header was missing. Fixed. Also, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome.
  • X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.
Class II vulnerabilities:
  • XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors – apart from the need to control an API server or successfully mounting a man-in-the-middle attack –: None. Fixed within hours.
Class III Vulnerabilities:
  • XSS through file and folder names. Mitigating factors: None. Fixed within hours.
  • XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours.
  • XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours
Class IV vulnerabilities:
  • Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.

Unfortunately the report does not name the people responsible for finding the flaws, nor does it give any details on what Kim Dotcom paid out (or intends to pay out).

Written by: James Delahunty @ 10 Feb 2013 19:00
Tags
Kim Dotcom Mega
Advertisement - News comments available below the ad
  • 1 comment
  • Mr-Movies

    Quote:Unfortunately the report does not name the people responsible for finding the flaws, nor does it give any details on what Kim Dotcom paid out (or intends to pay out). No surprise there this is really about debug for their security issues at no cost to them most likely. Smart marketing ploy really...

    15.2.2013 21:32 #1

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud