14 DAY TRIAL // Mega launched earlier this year from the ashes of MegaUpload, promising a brand new cloud hosting service that put privacy at its forefront. It did this by encrypting everything client-side. What this means is that not even Mega can decrypt the files it stores, even if it wanted to.
However, since Mega is primarily a web-based service, the technical side proved a bit problematic. Browsers and JavaScript weren't built with strong encryption in mind.
Still, while there had been some initial concerns, Mega has passed the test of most security experts. Still, the company has a bug bounty program and rewards researchers that point out security flaws.
However, that doesn't mean Mega agrees with any such "flaws." For example, one researcher, Michael Koziarski, put together a bookmarklet which displays the Mega master key in plain text in the browser.
The catch is that the bookmarket has to be run in the browser that has a Mega session open. The researcher says that any browser extension can similarly expose your key.
What's more, he says it's possible for Mega to retrieve your key from your computer and then use it to decrypt your files, if forced by a government agency.
Mega doesn't agree with this assessment. Mega developer Bram Van der Kolk argued that someone with access to your computer would have already bypassed any security that Mega would ever be able to implement.
"'Anyone else with access to your computer without you knowing' - you seriously want MEGA to protect users against this?," he tweeted.
He also suggested that, if users are worried Mega will try to grab the master key from them, they should simply install one of the current browser extensions and disable auto-updates. Because the apps are JavaScript, the code behind them can be analyzed, so any covert feature will be discovered.