AfterDawn: Tech news

MEGA hack challenge turns up 7 security flaws so far

Written by James Delahunty (Google+) @ 10 Feb 2013 19:00 User comments (1)

MEGA hack challenge turns up 7 security flaws so far Kim Dotcom will be paying out to hackers.
He offered hackers up to €10,000 per successful hack or exposure of security vulnerabilities with his new MEGA service. The actual amount paid out will depend on the severity rating of the security issue that is identified by the contestant.

There are six "severity class" vulnerabilities that hackers can aim at, with low impact or "purely theoretical scenarios" being at one end of the spectrum - class I - and more serious exploitable cryptographic design flaws at the other end - class VI.

The results show that so far, seven flaws have been identified with the MEGA service's security. They include two Class I flaws, one Class II flaws, three Class III flaws and one Class IV flaws. There were no Class V or VI flaws.

Here are the details...

Class I vulnerabilities:
  • HTTP Strict Transport Security header was missing. Fixed. Also, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome.
  • X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.
Class II vulnerabilities:
  • XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors apart from the need to control an API server or successfully mounting a man-in-the-middle attack : None. Fixed within hours.
Class III Vulnerabilities:
  • XSS through file and folder names. Mitigating factors: None. Fixed within hours.
  • XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours.
  • XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours
Class IV vulnerabilities:
  • Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.

Unfortunately the report does not name the people responsible for finding the flaws, nor does it give any details on what Kim Dotcom paid out (or intends to pay out).

Previous Next  

1 user comment

115.2.2013 21:32

Quote:
Unfortunately the report does not name the people responsible for finding the flaws, nor does it give any details on what Kim Dotcom paid out (or intends to pay out).
No surprise there this is really about debug for their security issues at no cost to them most likely. Smart marketing ploy really...

Comments have been disabled for this article.

Latest news

A bug in Chrome allows you to download Netflix movies A bug in Chrome allows you to download Netflix movies (25 Jun 2016 15:21)
A group of security researchers have found a vulnerability in Google's Chrome browser that allows downloading movies straight from Netflix. This is obviously not a feature especially the entertainment ....
1 user comment
Three out of four Netflix customers would rather cancel than watch ads Three out of four Netflix customers would rather cancel than watch ads (25 Jun 2016 14:05)
For a long time Netflix was adamant on its pricing. No changes were made for a long time and everything seemed to be good. The markets obviously reacted and more expensive deals and original ....
3 user comments
Apple Music left in the dust, Spotify at 100 million subscribers Apple Music left in the dust, Spotify at 100 million subscribers (25 Jun 2016 12:01)
Spotify has told The Telegraph that it has surpassed the 100 million mark in subscribers. Paying subscribers was earlier this year reported to have passed 30 million. Apple meanwhile is having ....
1 user comment
Rumor has it that Apple has cancelled iPhone's dual camera Rumor has it that Apple has cancelled iPhone's dual camera (18 Jun 2016 18:05)
The next iPhone will be a major upgrade to current iPhone 6s. This biyearly full upgrade cycle provides us with a bigger upgrade every two years. But how will Apple update its number one product, ....
6 user comments
OnePlus releases new flagship killer, smaller X discontinued OnePlus releases new "flagship killer", smaller X discontinued (18 Jun 2016 16:11)
The small Chinese smartphone maker OnePlus took the world by storm two years ago by releasing a super cheap flagship smartphone. They called it the flagship killer, and it indeed challenged ....
4 user comments

News archive