MegaCracker tool could reveal Mega passwords

A security researcher has found a cryptographic flaw in the Mega cloud service that could reveal user passwords.

The Mega cloud service was launched on Monday.

Cryptography boffin Steve Thomas is designing a tool dubbed MegaCracker that would crack hashes embedded into email confirmation links sent from Mega to users as they register for the service. 

"A hash of your password is in the confirmation code. Cost is 65536 AES/password plus 1 AES/user. Which is very fast," Thomas wrote on twitter.

#mega confirmation code contains "hashed" password aes(pwKey,[rand(0x100000000),0,0,rand(0x100000000)]) false positives 1 in 2^64

— Steve (@Sc00bzT) January 21, 2013

Thomas has not yet completed the tool and did not say how dangerous the threat was: the confirmation emails would need to be intercepted before passwords could be cracked.

The cloud sharing service owned by flamboyant businessman Kim Schmitz [AKA Kim Dotcom] has been under the microscope of crypto boffins since its heavily-hyped launch several days ago.

The service is of interest to the security world because of its claims of strong security through the use of 128-bit AES encryption and 2048-bit RSA public and private key infrastructure.

Schmitz was keen to avoid a repeat of the police raid on now seized cloud service MegaUpload, made on the grounds of copyright violation, by ensuring user data was encrypted before it hit Mega servers so the company would lack the keys to decrypt user data.

So far, security flaws including cross-site scripting and problems with random number generation have been discovered in the beta service. Security folk have also flagged problems with the fact that Mega uses a web browser to send encryption information, opening avenues for attackers to intercept keys by breaking SSL or by commandeering Mega's servers, some of which are said to be located in the United States.

Cryptocat creator and cryptography boffin Nadim Kobeissi went as far in his criticism of the site's security that he told Forbes "it felt like I had coded this in 2011 while drunk.”

Yet allegations that Mega's use of deduplication - a function to avoid multiple uploads of a single file - would allow copyright enforcers to determine the names of files uploaded by users were overstated, according to Errata Security founder Robert David Graham.

"They think [deduplication is] impossible without the server knowing how to decrypt the file. It's actually quite possible, Graham said in a blog.

Mega, he says, trips up, because it allows users to check for duplicates using a filename which is cheap on bandwidth but allows copyright enforcers an easy way to snuff out pirated content.

"This will cause [a flood of] millions of hashes trolling for content, and in the end, probably use more bandwidth than it saves," he said.

Mega's chief technology officer told Venturebeat some of the reported security concerns were overstated, and added Mega was investigating ways to allow users to change the password used to encrypt the AES key.