Mega: Bug bounty program resulted in seven vulnerabilities fixed so far

One week after launching a security bug bounty program, the new file-storage and sharing service Mega claims to have fixed seven vulnerabilities, none of which met its highest severity classification.

Since Mega was launched three weeks ago, security researchers pinpointed several security issues with the service, ranging from simple cross-site scripting flaws to alleged weaknesses in its cryptographic model.

Mega's creators dismissed some of the issues as theoretical and asked for practical exploits. To support such efforts, a week ago they launched a vulnerability reward program similar to those run by companies such as Google, Facebook, Mozilla and PayPal, as well as two crypto cracking challenges to prove that their cryptographic implementation is solid.

The company promised rewards of up to €10,000 (NZ$16,000) for responsibly reported vulnerabilities that meet the program's qualification requirements. In a new blog post published Saturday, the company said that reported vulnerabilities will be ranked according to severity, with "class I" being the least severe and "class VI" being the most severe.

So far, seven vulnerabilities have been reported and fixed, according to the blog post.

Of those, the most severe vulnerability was an "invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster". This vulnerability was rated class IV, which is assigned to "cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)."

However, this flaw's description matches that of a vulnerability publicly disclosed by a hacker group called fail0verflow on Jan. 23, over a week before Mega set up its vulnerability reward program. At the time the group reported that Mega was using CBC-MAC - a message authentication code (MAC) algorithm - with a fixed key to verify the integrity of JavaScript content served from its secondary servers. The group noted at the time that CBC-MAC was unsuitable for this purpose.

Shortly after fail0verflow's report, security researchers from antivirus firm Sophos reported that Mega dropped CBC-MAC in favour of SHA-256, a proper hashing function. In its new blog post Mega notes that that flaw was fixed within hours.

In addition to this vulnerability, Mega's creators claim that three cross-site scripting (XSS) vulnerabilities with a class III severity rating were addressed. Class III flaws are described as vulnerabilities that can be generally exploited to achieve remote code execution inside client browsers (cross-site scripting).

Mega did not publish the names of the researchers who discovered these flaws - a somewhat unusual practice when compared to other bug bounty programs - or how much money it paid for each one.

Based on discussions on Twitter, it seems that one of these three XSS vulnerabilities was reported by a security researcher named Frans Rosen. Rosen posted a screen shot of what appears to be his email communication with Mega, suggesting that he received a reward of €1,000 (NZ$1,600) for his report.

A fourth XSS vulnerability was also addressed but this was rated as class II because it required the compromise of one of Mega's API (application programming interface) servers or a SSL/DNS man-in-the-middle attack to be successfully exploited.

Two low severity - class I - issues have also been fixed, the Mega creators said. They involved the failure to use HTTP Strict Transport Security (HSTS) and X-Frame-Options HTTP headers.

HSTS is a web security policy mechanism that allows websites to force browsers to communicate over HTTPS (HTTP Secure) and reject the connection if it's redirected over plain, unencrypted, HTTP. The X-Frame-Options header can be used to specify whether a Web page can be loaded inside an iframe on another page and is used to protect against a type of attack known as clickjacking.

Both of these issues have been fixed and, in addition, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome, the Mega creators said.

No class V or class VI vulnerabilities have been reported so far. Class V corresponds to vulnerabilities that could result in remote code execution or access control violations on Mega's main servers and class VI is reserved for fundamental flaws in the service's cryptographic implementation.

The two cryptographic cracking challenges that Mega launched last week have not yet been solved, prompting Mega's creators to boast: "please check back in a few billion billion years".

"Whatever you think of Mega, its founder, its raison d'etre, its bombasticity and even the value of the bounties its offering, it nevertheless reflects to the company's credit that it came out with the bounties at all," said Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos antivirus, Monday in a blog post.