Mega’s $13,500 Challenge Highlights 7 Vulnerabilities In The First Week

According to the Mega blog the first week of their new bug bounty program ( read more on that here) has highlighted some 7 vulnerabilities, all of which have been fixed already they claim.

Mega classifies vulnerabilities on six different levels – class I to class VI – with the higher numbered classes being the more severe. Of the 7 issues detected thus far two were categorised as Class I, one as Class II, three as Class III and one as Class IV.


The vulnerabilities themselves were as follows:

Class I

  • HTTP Strict Transport Security header was missing.
  • X-Frame-Options header was missing.

Class II

  • XSS through strings passed from the API server to the download page

Class III

  • XSS through file and folder names.
  • XSS on the file download page.
  • XSS in a third-party component (ZeroClipboard.swf).

Class IV

  • Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster.

Whilst pertinent, none of the above vulnerabilities are too severe and all have reportedly been fixed now. More importantly to user security on the Mega site, perhaps, is the issue of passwords sent in the sign up file. Thus far, no-one has been able to crack that side of things –

“Needless to mention that nobody cracked any of the brute-force challenges yet (please check back in a few billion billion years).”
Mega blog

If you believe that you can help Mega improve their security / earn some bounty then the program remains on an on-going basis.


About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind