Mega's vulnerability program is a hit, seven bugs fixed in week one

Kim Dotcom has proved yet again that he can put his money where his mouth is when it comes to Mega. Like he had promised not too long after the launch of his file hosting service, Dotcom has payed out participants who found bugs in the service.

Even as the program is in its first week, Dotcom has confirmed that seven bug fixes have been found and fixed on Mega. While the company did not detail what bugs were fixed, how many total submissions were made or the names of the participants, it urged more users to help it find security loopholes and fix them.

The company said that the program is here to stay but did not reveal how much the pay-out would be if one helped fix a bug. In a blog post,  Mega explained how it classifies vulnerabilities and their impacts. Vulnerabilities were classified into VI classes, with I being the lowest risk and VI being the highest.

The program is going to be a regular affair

The program is going to be a regular affair


Thankfully for Mega, no class V and VI vulnerabilities were noted in the first week. While there was one class IV and II vulnerabilities, there were three class III and two class I weaknesses found on the website. Mega’s log read:


  • One Class IV vulnerability: Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.
  • Three Class III vulnerabilities: i) XSS through file and folder names. Mitigating factors: None. Fixed within hours. Ii) XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours. iii) XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours.
  • One Class II vulnerability: XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors – apart from the need to control an API server or successfully mounting a man-in-the-middle attack –: None. Fixed within hours.
  • Two Class I vulnerabilities: i) HTTP Strict Transport Security header was missing. Fixed. Also, and * will be HSTS-preloaded in Chrome. Ii) X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.

There were no high-class security flaws reported in the first week, the company said, and most of the flaws spotted ‘could all be found  by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction.’ The blog confidently asked readers to ‘check back in a few billion years’ to see if anyone could crack the brute-force challenges.

Now as a Firefox extension too!

Now as a Firefox extension too!


Dotcom though, in a retweet revealed that one of the participants had received 1000 Euros in the bug fixing challenge. According to the details, it looks like this pay-out was for the one of the class III bugs that was fixed.

In another announcement, Dotcom revealed that Mega services have received a shot in its arm with a new Firefox extension. The extension has been ‘preliminary reviewed’ by Mozilla and is billed as ‘secure and invisible’.

If you’re accessing Mega with Firefox, you will be prompted to add the extension that promises ‘vastly improved download performance’ and allows you to ‘batch-download an unlimited number of files without any size restrictions.’

You can get your hands on the extension for Firefox here.

Published Date: Feb 11, 2013 10:33 am | Updated Date: Feb 11, 2013 10:33 am