According to the Mega blog the first week of their new bug bounty program ( read more on that here) has highlighted some 7 vulnerabilities, all of which have been fixed already they claim.
Mega classifies vulnerabilities on six different levels – class I to class VI – with the higher numbered classes being the more severe. Of the 7 issues detected thus far two were categorised as Class I, one as Class II, three as Class III and one as Class IV.
The vulnerabilities themselves were as follows:
- HTTP Strict Transport Security header was missing.
- X-Frame-Options header was missing.
- XSS through strings passed from the API server to the download page
- XSS through file and folder names.
- XSS on the file download page.
- XSS in a third-party component (ZeroClipboard.swf).
- Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster.
Whilst pertinent, none of the above vulnerabilities are too severe and all have reportedly been fixed now. More importantly to user security on the Mega site, perhaps, is the issue of passwords sent in the sign up file. Thus far, no-one has been able to crack that side of things –
“Needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years).”
If you believe that you can help Mega improve their security / earn some bounty then the program remains on an on-going basis.