Just How bad is the recent MEGA vulnerability for the average user?

According to this article Mega says it can’t decrypt your files. New POC exploit shows otherwise | Ars Technica

Security researchers discovered vulnerabilities with MEGA’s infrastructure. A lot of it went over my head. I use MEGA, i don’t encrypt before uploading so i depend on the cloud’s encryption (not willing to encrypt myself, too inconvenient and I like automatic camera uploads). Is this severe enough to warrant moving to something like filen(dot)io? Or is the response by MEGA
MEGA Security Update - Mega Blog sufficient enough to resume using their service?

1 Like

In my opinion, the vulnerability doesn’t matter. Pick the cloud provider that works best for you and encrypt the files yourself. (Oh yea, it’s pretty inconvenient)

Then buy yourself some hardware and host a NAS if USBs are too bothersome. If guaranteed security is what you want, then you have to work for it one way or the other. :man_shrugging:

Flaws will always be part of the equation no matter which cloud service you use.
__
jas_framework

1 Like

We use MEGA internally. For us it’s a big deal given E2EE is the main selling point. Yes, it’s unlikely to impact users, but it outlines a general poor approach to security in the first place that scares me away from the service. (at the moment)

The good news: Even if they were actively using this exploit maliciously, you’re still no worse off than you are using Google Drive/Dropbox/iCloud/etc. and exploits like these are why we always recommend encrypting things BEFORE they touch the cloud.

Like all trust issues, it’ll come down to personal preference :slight_smile: I’ve lost a lot of faith in them, but others may not. Only you can decide if you still trust the service. Their response to the situation isn’t bad, I am just upset these (somewhat large) issues existed in the first place - as it speaks to their unnecessarily complex platform they can’t seem to control.

5 Likes

I agree with your point. After mulling it over for a bit, I’ve decided that despite this vulnerability not impacting the average user, it shows that the way MEGA implements their encryption is fundamentally flawed. I really like their service because of the functionality, it seemed to work seamlessly and their prices are unmatched compared to the alternatives. Really unfortunate. Will this be covered on next week’s surveillance report? And do you guys plan to migrate away from MEGA?

2 Likes

If you’re the kind of user that doesn’t encrypt files AND it turns out that MEGA’s encryption can be bypassed, I would argue that a big cloud storage provider like a Google Drive or OneDrive would be better than MEGA just based on the security they would bring to the table (at the cost of privacy of course). But that’s only in this short-term scenario. :sweat_smile:

I would imagine that if an exploit like this is discovered for any storage provider that they would start patching this ASAP, but if it’s the result of a deep-rooted problem, or even if it isn’t, I also understand why it would spook customers away.

On a sidenote, if your login credentials were caught up in a data breach, we know to change your password immediately. If your data in cloud storage gets caught in a breach, what should you do? Immediately take all of it out of the provider? Not worry about it because what’s done is done, but don’t add more data?

1 Like

Has there been any news or new recommendation regarding this issue?

I am looking for a convenient cloud storage provider for users who don’t have the knowledge to encrypt data themselves before uploading, but still want to stay private for about 4 to 8€ per month with minmum 400GB storage. Speed should be good enough in the EU. I initially wanted to settle with Mega, after testing it for a week. It has great usability, but reading these news make me feel a bit overwhelmed with making a decision.

Encrypting the files with additional encryption software is not an option. There are simply no good tools available which are fully featured, cross-platform and easy to use, and sharing files and folders wouldn’t be possible

If you’re looking just for a cloud storage and not so much a cloud office suite with storage provided, Proton Drive may be a good option to watch for. It’s web-based and E2EE, but it is still in beta I believe. Don’t know if it has enough of the features that you’re looking for, though.

Thx. But too expensive and still in beta. How are the other options like sync.com, Tresorit, and filen.io?

1 Like

I use Filen, its pretty good. Sync.com and Tresorit are good too, but tbh, filen IMO has a better desktop client interface (After the new update) and the clients are open source. The whitepaper is eli5ed too for non tech users IMO.