Mega says bug bounty program led to fixing of seven flaws
Crypographic challenges unsolved, no critical remote code execution flaw reported so far, Mega's creators say
IDG News Service - One week after launching a security bug bounty program, the new file-storage and sharing service Mega claims to have fixed seven vulnerabilities, none of which met its highest severity classification.
Since Mega was launched three weeks ago, security researchers pinpointed several security issues with the service, ranging from simple cross-site scripting flaws to alleged weaknesses in its cryptographic model.
Mega's creators dismissed some of the issues as theoretical and asked for practical exploits. To support such efforts, a week ago they launched a vulnerability reward program similar to those run by companies such as Google, Facebook, Mozilla and PayPal, as well as two crypto cracking challenges to prove that their cryptographic implementation is solid.
The company promised rewards of up to A!10,000 for responsibly reported vulnerabilities that meet the program's qualification requirements. In a new blog post published Saturday, the company said that reported vulnerabilities will be ranked according to severity, with "class I" being the least severe and "class VI" being the most severe.
So far, seven vulnerabilities have been reported and fixed, according to the blog post.
Of those, the most severe vulnerability was an "invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster." This vulnerability was rated class IV, which is assigned to "cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)."
Shortly after fail0verflow's report, security researchers from antivirus firm Sophos reported that Mega dropped CBC-MAC in favor of SHA-256, a proper hashing function. In its new blog post Mega notes that that flaw was fixed within hours.
In addition to this vulnerability, Mega's creators claim that three cross-site scripting (XSS) vulnerabilities with a class III severity rating were addressed. Class III flaws are described as vulnerabilities that can be generally exploited to achieve remote code execution inside client browsers (cross-site scripting).
Mega did not publish the names of the researchers who discovered these flaws -- a somewhat unusual practice when compared to other bug bounty programs -- or how much money it paid for each one.
Based on discussions on Twitter, it seems that one of these three XSS vulnerabilities was reported by a security researcher named Frans Rosen. Rosen posted a screen shot of what appears to be his email communication with Mega, suggesting that he received a reward of A!1,000 for his report.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts