Cracking tool milks weakness to reveal some Mega passwords

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2013/01/cracking-tool-milks-weakness-to-reveal-some-mega-passwords/

By Dan Goodin
Ars Technica
Jan 22 2013

Yet another security researcher is poking holes in the security of Mega, this 
time by pointing out that the confirmation messages e-mailed to new users can 
in many cases be cracked to reveal their password and take over their Mega 
accounts.

Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released 
a program called MegaCracker that can extract passwords from the link contained 
in confirmation e-mails. Mega e-mails a link to all new users and requires that 
they click on it before they can use the cloud-based storage system, which 
boasts a long roster of encryption and security protections. Security 
professionals have long considered it taboo to send passwords in either 
plaintext or as cryptographic hashes in e-mails because of the ease attackers 
have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails 
contains not only a hash of the password, but it also includes other sensitive 
data, such as the encrypted master key used to decrypt the files stored in the 
account. MegaCracker works by isolating the AES-hashed password embedded in the 
link and attempting to guess the plaintext that was used to generate it.

"Since e-mail is unencrypted, anyone listening to the traffic can read the 
message," Thomas told Ars. "It makes no sense to send a confirmation link with 
a hash of your password."

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org