A few weeks ago, Mega – the new file sharing website launched by Kim Dotcom – announced the start of a vulnerability reward program. In the report released for the first week, the company revealed that a total of 7 security holes have already been identified.
It turns out that no one has discovered class V and class VI vulnerabilities that cover remote code execution issues on core Mega servers, respectively fundamental and generally exploitable cryptographic design flaws.
However, one class IV bug – which enters the category of cryptographic design flaws that can be exploited only after compromising server infrastructure – has been identified.
It refers to an “invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster.”
As expected, most of the security holes are from the Class III category, which covers cross-site scripting (XSS) vulnerabilities.
A total of three XSS flaws have been identified: on the file download page, through file and folder names, and in a third-party component (ZeroClipboard.swf).
One vulnerability has been identified in severity class II. This category includes XSS that can be leveraged only after a successful man-in-the-middle attack or after compromising the API server cluster.
The issue reported to Mega is an XSS through strings passed from the API server to the download page.
Mega has also added HTTP Strict Transport Layer Security and X-Frame-Options headers. Both reported issues fall under Class I vulnerabilities.
The details of the vulnerabilities haven’t been made public, but according to Mega representatives, most of them have been addressed within hours after being reported.
Mega encourages security experts to continue to submit their findings, especially if they’re higher-level or conceptual issues.