According to this article Mega says it can’t decrypt your files. New POC exploit shows otherwise | Ars Technica
Security researchers discovered vulnerabilities with MEGA’s infrastructure. A lot of it went over my head. I use MEGA, i don’t encrypt before uploading so i depend on the cloud’s encryption (not willing to encrypt myself, too inconvenient and I like automatic camera uploads). Is this severe enough to warrant moving to something like filen(dot)io? Or is the response by MEGA
MEGA Security Update - Mega Blog sufficient enough to resume using their service?
In my opinion, the vulnerability doesn’t matter. Pick the cloud provider that works best for you and encrypt the files yourself. (Oh yea, it’s pretty inconvenient)
Then buy yourself some hardware and host a NAS if USBs are too bothersome. If guaranteed security is what you want, then you have to work for it one way or the other.
Flaws will always be part of the equation no matter which cloud service you use.
We use MEGA internally. For us it’s a big deal given E2EE is the main selling point. Yes, it’s unlikely to impact users, but it outlines a general poor approach to security in the first place that scares me away from the service. (at the moment)
The good news: Even if they were actively using this exploit maliciously, you’re still no worse off than you are using Google Drive/Dropbox/iCloud/etc. and exploits like these are why we always recommend encrypting things BEFORE they touch the cloud.
Like all trust issues, it’ll come down to personal preference I’ve lost a lot of faith in them, but others may not. Only you can decide if you still trust the service. Their response to the situation isn’t bad, I am just upset these (somewhat large) issues existed in the first place - as it speaks to their unnecessarily complex platform they can’t seem to control.
I agree with your point. After mulling it over for a bit, I’ve decided that despite this vulnerability not impacting the average user, it shows that the way MEGA implements their encryption is fundamentally flawed. I really like their service because of the functionality, it seemed to work seamlessly and their prices are unmatched compared to the alternatives. Really unfortunate. Will this be covered on next week’s surveillance report? And do you guys plan to migrate away from MEGA?
If you’re the kind of user that doesn’t encrypt files AND it turns out that MEGA’s encryption can be bypassed, I would argue that a big cloud storage provider like a Google Drive or OneDrive would be better than MEGA just based on the security they would bring to the table (at the cost of privacy of course). But that’s only in this short-term scenario.
I would imagine that if an exploit like this is discovered for any storage provider that they would start patching this ASAP, but if it’s the result of a deep-rooted problem, or even if it isn’t, I also understand why it would spook customers away.
On a sidenote, if your login credentials were caught up in a data breach, we know to change your password immediately. If your data in cloud storage gets caught in a breach, what should you do? Immediately take all of it out of the provider? Not worry about it because what’s done is done, but don’t add more data?