The Washington Post

Mega’s security may be unstable, CTO says don’t believe the hype

Mega, the file storage and sharing company from the famed Kim Dotcom, launched last with intent to let you securely send and receive files in the cloud. The company promises that all transactions and files are encrypted, but some researchers are saying that encryption should not be trusted.

“Quite frankly it felt like I had coded this in 2011 while drunk,” Nadim Kobeissi, founder of CryptoCat, told Forbes.

Mega promises that all your files are encrypted while being transferred or stored, and that you are the only one with the power to grant people access to those files. The company says that you don’t have to download anything, “It’s all done in the browser!” That is, you, the user, hold the “decryption key” in your browser, as opposed to the cloud service provider holding the decryption key.

This means that not even Mega can get into your files.

But, as Forbes notes, researchers are saying this is easily broken into since the encryption is actually being handled all through code between Mega’s encryption server and your browser. Someone could theoretically jump into Mega’s servers, mess with the code being sent to your browser, and grab, change, or eliminate your decryption key.

Mathais Ortmann, Mega’s CTO, however, says that researchers didn’t check their facts. Mega explained to VentureBeat in an email that the site uses 2048-bit SSL, and says that a previously discovered cross site-scripting vulnerability was fixed an hour after it was originally reported to the site. Ortmann also says the company is working on a way to let users change their passwords — an issue that originally meant users would lose their content forever if they forgot their password or were hacked.

Some are saying the encryption might just be a way to alleviate Mega of any legal responsibility for copyrighted material — the issue Kim Dotcom had with MegaUpload. If all the data is encrypted, beyond Mega’s ability to decrypt and know what kind of data is flowing through it, then it seemingly can’t be held in court for copyright infringement.

DotCom announced yesterday that the site, which launched last week, has already seen upwards of one million users sign up. Of course, there’s no corroborating evidence, but the traction might make sense. MegaUpload, DotCom’s original company that got him arrested for copyright violations, money laundering, and other charges, claimed to service four percent of the Internet. All those users were dispelled after the shut down, and many loyalists might have flocked to Mega upon launch.

Copyright 2013, VentureBeat



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Video curated for you.

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.