Mega pays out first batch of bounties, its crypto still intact
Posted on 12 February 2013.
Mega, the file hosting service and successor to Megaupload founded by Kim Dotcom, recently instituted a bug bounty program that should help keep the service and its users safe from a variety of security relevant or design flaws.


They offered rewards of up to 10,000 Euros per bug, depending on its complexity and impact potential, and have also offered the maximum reward for anyone who can break Mega's open source encryption scheme.

A little over a week later, they revealed that seven bugs have been discovered and reported, but that nobody managed to crack any of the brute-force challenges.

They also explained a little bit more on how the found vulnerabilities will be classified:
  • Severity class VI: Fundamental and generally exploitable cryptographic design flaws
  • Severity class V: Remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches
  • Severity class IV: Cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)
  • Severity class III: Generally exploitable remote code execution on client browsers (cross-site scripting)
  • Severity class II: Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack (e.g. by issuing a fake SSL certificate + DNS/BGP manipulation)
  • Severity class I: All lower-impact or purely theoretical scenarios.
No Class V and VI vulnerabilities were reported so far. The researchers unearthed four XSS flaws (severity class II and III), two missing headers (the lack of one of which could have resulted in clickjacking - s.c. I), and an invalid application of CBC-MAC (s.c. IV). All have already been fixed.

According to TNW, Kim Dotcom has confirmed that three of the bounties have already been paid out, and that a tweet by The Hacker News revealed that the report on one of the XSS vulnerabilities was rewarded with 1,000 Euros.

"It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction," the company concluded in a blog post, adding that they hope that future submissions will include some that address higher-level and conceptual issues.









Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //