Week one of the Mega cloud storage service bug bounty is in the books and at least three payouts have been made. Controversial entrepreneur and MegaUpload founder Kim Dotcom made the challenge last week offering a €10,000 reward to anyone who could break the encryption protecting the service. Six levels of vulnerabilities were described, each with different rewards. According to a Twitter post yesterday, a €1,000 payout was made to Frans Rosen for a cross-site scripting bug he discovered. The NextWeb, meanwhile, reported that Dotcom confirmed to them three payouts have been made so far.
Seven bugs were reported and patched, Dotcom wrote on a blogpost this week. The most serious were a missing x-frame options header that put the site at risk to clickjacking, as well as a missing HTTPS header.
A cross-site scripting vulnerability was reported in strings passed from the site’s API server to a download page via three vectors, the post said. An attacker would need access to the server, or conduct a man-in-the-middle attack to exploit this flaw.
Three other less serious cross-site scripting bugs were fixed; one through file and folder names, another on the file download page and a third in a third-party component.
The final bug was an invalid application of a CBC-MAC encryption algorithm used as an integrity check on active content.
“No static content servers had been operating in untrusted data centers at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers,” the post said of possible mitigating factors.
The vulnerability classifications as established by Mega range from low-impact or theoretical attacks, to cross-site scripting, remote code execution on clients and Mega servers, crypto design flaws, and exploitable crypto design flaws.
“It is clear that the vulnerabilities identified so far could all be found by checking only a few lines of code at a time; none of them required any analysis at a higher level of abstraction,” the post said, adding that the bounty will continue.
Mega is a stand-in service for MegaUpload, which was shuttered by the U.S. government and New Zealand authorities for copyright infringement violations. Dotcom was at the center of controversy at the time of the shutdown, which prompted a number of attacks, including a high profile DDoS attack against the U.S. Department of Justice, reportedly by members of Anonymous.
The MegaUpload shutdown was prompted by allegations that the site was illegally hosting copyrighted content such as movies and music and that the company knew of the problematic content and did nothing to remove it.
Upon the launch of Mega, security experts began criticism of the site’s browser-based encryption and claimed it was weak, reports said. Dotcom challenged the critics via the institution of the bug bounty.