Mega Fileshare Service Riddled With Security Holes

Security experts have found a host of security vulnerabilities in Kim Dotcom’s new online storage venture Mega, but many suspect his claims of  tough data protection were only a smokescreen to distract attention by law enforcement agencies.

Mega, a follow-up to Dotcom’s Megaupload service shut down by law enforcement, launched on Sunday. Its founder boasted it was “the privacy company”, offering 50GB of free online storage to every user and blanket encryption across the site.

Yet many potential security vulnerabilities have been highlighted by the community, including flawed encryption key handling, a cross-site scripting hole and problematic claims surrounding deduplication. The encryption “is less than ideal”, according to Alan Woodward, from the Department of Computing at the University of Surrey. That’s largely because it is all done through Javascript in the browser, which means that anyone who can break the SSL encryption on Mega could get hold of the keys.