![]() ![]() ![]() On its website, the service said MegaCracker is "An excellent reminder not to use guessable/dictionary passwords, specifically not if your password also serves as the master encryption key to all files that you store on MEGA." AdvertisementĪ confirmation sent to one Ars reporter looked like this: Mega officials didn't immediately respond to a request for comment. In addition to the ease of intercepting e-mails as they traverse the Internet, the confirmation link could be recovered by government-backed investigators or others with a legal subpoena. "It makes no sense to send a confirmation link with a hash of your password." "Since e-mail is unencrypted, anyone listening to the traffic can read the message," Thomas told Ars. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.ĭespite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. In case anybody reading this would like to help out - please download (don't import because that won't work) the AV1 sample from the folder in the OP and see whether you're able to have thumbnail generated for it when you upload from your setup.Yet another security researcher is poking holes in the security of Mega, this time by pointing out that the confirmation messages e-mailed to new users can in many cases be cracked to reveal their password and take over their Mega accounts. I still am not sure where or how MEGAsync actually obtains the thumbnail images from files since the end-to-end encryption complicates things because a few other non-encrypted hosters were able to generate thumbnails for the AV1 files without any issue. ![]() They were running a newer version of Windows 11 whereas I'm on Windows 10 so I will now try installing Windows 11 on a spare computer and see whether that changes anything. Some of the people I've talked to have had better luck generating thumbnails for AV1 files however - the very same ones I couldn't generate when I tried to upload them myself which leads me to think this could be an OS or GPU decode incompatibility issue. I should mention that this issue only affects media encoded using AV1 codec (which is a new generation video codec that is yet to see a wider adoption) whereas media files encoded using every other major codec such as HEVC, AVC, VP9 all generates thumbnails without issue. I tried 1) reloading my account whilst pressing the ctrl key and 2) downloading the file to my computer first via megasync and then via browser - but no dice the thumbnail just refuses to generate. ![]()
0 Comments
Leave a Reply. |