Mega, the file hosting service and successor to Megaupload founded by Kim Dotcom, recently instituted a bug bounty program that should help keep the service and its users safe from a variety of security relevant or design flaws.
They offered rewards of up to 10,000 Euros per bug, depending on its complexity and impact potential, and have also offered the maximum reward for anyone who can break Mega’s open source encryption scheme.
A little over a week later, they revealed that seven bugs have been discovered and reported, but that nobody managed to crack any of the brute-force challenges.
They also explained a little bit more on how the found vulnerabilities will be classified:
- Severity class VI: Fundamental and generally exploitable cryptographic design flaws
- Severity class V: Remote code execution on core MEGA servers (API/DB/root clusters) or major access control breaches
- Severity class IV: Cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)
- Severity class III: Generally exploitable remote code execution on client browsers (cross-site scripting)
- Severity class II: Cross-site scripting that can be exploited only after compromising the API server cluster or successfully mounting a man-in-the-middle attack (e.g. by issuing a fake SSL certificate + DNS/BGP manipulation)
- Severity class I: All lower-impact or purely theoretical scenarios.
No Class V and VI vulnerabilities were reported so far. The researchers unearthed four XSS flaws (severity class II and III), two missing headers (the lack of one of which could have resulted in clickjacking – s.c. I), and an invalid application of CBC-MAC (s.c. IV). All have already been fixed.
According to TNW, Kim Dotcom has confirmed that three of the bounties have already been paid out, and that a tweet by The Hacker News revealed that the report on one of the XSS vulnerabilities was rewarded with 1,000 Euros.
“It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction,” the company concluded in a blog post, adding that they hope that future submissions will include some that address higher-level and conceptual issues.