Mega’s security may be unstable, CTO says don’t believe the hype

The new file storage and sharing company from Kim Dotcom launched last week with intent to let you securely send and receive files in the cloud. But some researchers are saying that you should not trust Mega‘s encryption.

“Quite frankly, it felt like I had coded this in 2011 while drunk,” Nadim Kobeissi, the founder of CryptoCat, told Forbes.

Mega promises that all your files are encrypted while being transferred or stored and that you are the only one with the power to grant people access to those files. It says that you don’t have to download anything — “It’s all done in the browser!” That is, you, the user, hold the “decryption key” in your browser, as opposed to the cloud service provider holding the decryption key.

This means that not even Mega can get into your files.

But as Forbes notes, researchers are saying this is easily broken into since the encryption is actually being handled all through code between Mega’s encryption server and your browser. Someone could theoretically jump into Mega’s servers, mess with the code being sent to your browser, and grab, change, or eliminate your decryption key.

Mathais Ortmann, Mega’s CTO, however, says that researchers didn’t check their facts. Mega explained to VentureBeat in an email that the site uses 2048-bit SSL, and says that a previously discovered cross site-scripting vulnerability was fixed an hour after it was originally reported to the site. Ortmann also says the company is working on a way to let users change their passwords — an issue that originally meant users would lose their content forever if they forgot their password or were hacked.

Some are saying the encryption might just be a way to alleviate Mega of any legal responsibility for copyrighted material — the issue Kim Dotcom had with MegaUpload. If all the data is encrypted, beyond Mega’s ability to decrypt and know what kind of data is flowing through it, then it seemingly can’t be held in court for copyright infringement.

DotCom announced yesterday that the site, which launched last week, has already seen upward of one million users sign up. Of course, there’s no corroborating evidence, but the traction might make sense. MegaUpload, DotCom’s original company that got him arrested for copyright violations, money laundering, and other charges, claimed to service 4 percent of the Internet. All those users were dispelled after the shut down, and many loyalists might have flocked to Mega upon launch.

via Ars Technica; Kim Dotcom image via Abode of Chaos/Flickr