website statistics

Mega, the online storage service launched by Kim Dotcom, has recently announced that it would hand out payouts to those who'd find bugs in the service. Now, it has lived up to that promise.
1 Star2 Stars3 Stars4 Stars5 Stars (Rate This)
Loading...

After the launch of his online storage service, Mega, Kim Dotcom had offered reward to the tune of $13,500 to such users who’d discover security vulnerabilities in the service. As it happens, seven bugs have been reported and fixed so far and three cash rewards have been handed out by the company.


Mega Bounty

The handouts suggest that Dotcom is indeed serious in making his service impregnable in terms of security. However, the fact that seven bugs were found during the first week alone tends to hint that the service may not be so secure for now.

Dotcom has stated that the reward program is meant for the long-term and as users keep finding newer bugs, they will be rewarded in cash for their discoveries. The seven bugs found during the week and deemed eligible for bounty are listed below:

  • One Class IV vulnerability: Invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster. Mitigating factors: No static content servers had been operating in untrusted data centres at that time, thus no elevated exploitability relative to the root servers, apart from a man-in-the-middle risk due to the use of a 1024 bit SSL key on the static content servers. Fixed within hours.
  • Three Class III vulnerabilities: i) XSS through file and folder names. Mitigating factors: None. Fixed within hours. Ii) XSS on the file download page. Mitigating factors: Chrome not vulnerable. Fixed within hours. iii) XSS in a third-party component (ZeroClipboard.swf). Mitigating factors: None. Fixed within hours.
  • One Class II vulnerability: XSS through strings passed from the API server to the download page (through three different vectors), the account page and the link export functionality. Mitigating factors – apart from the need to control an API server or successfully mounting a man-in-the-middle attack –: None. Fixed within hours.
  • Two Class I vulnerabilities: i) HTTP Strict Transport Security header was missing. Fixed. Also, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome. Ii) X-Frame-Options header was missing, causing a clickjacking/UI redressing risk. Fixed.

While we don’t know exactly what amounts of bounties were handed out to those who discovered the bugs, Dotcom did reveal that at least one of the finders was awarded a cash prize of EUR 1000.

Courtesy: TNW

Buy Cheapest Related Product From Amazon.com


Yahoo-Backed Email Service Hacked, Users Receive Spam

iOS 6 Jailbreak Evasi0n Already Unlocks 7 Million Devices
You can also press the left/right arrow key on your keyboard to go to previous/next post

Tags: , ,

  On February 11, 2013(3 years, 5 months ago.)

You May Also Like:

What Do You Think?

Leave a Reply




Loading Facebook Comments ...

FTC Disclosure: Some of the links of this website are "affiliate links." This means if you click on the link and purchase the item, we will receive an affiliate commission.


Recent Search

Recent Tutorials

Pokemon Go users are complaining about the crashing and server issues. Check out the tutorial to solve error problems and thanks us later.
Turning off Wi-Fi Assist is a great way to save mobile data since it automatically starts using cellular data when Wi-Fi signal is poor .
If you want to secure your SIM card from others using it, then check out this tutorial to know how to set up the SIM Pin code on your iPhone.
CiderTV is a great alternative to control Apple TV from the Notification Center. Check out this tutorial to set up CiderTV on your iPhone.
Are you annoyed by the split screen mode on the iPhone 6 Plus or 6s Plus? Check out this quick tutorial to turn off split screen feature.
If you could not wait to installed the iOS 10 beta version on you iPhone and now struggling for the errors, then this tutorial is for you.
Siri might not understand the question you asked. But you can use Siri by editing the text that you asked & it will give an updated answer.
Perhaps, you are new Apple user and you might have no idea how to change name of your iPhone. Check out this tutorial to change the name.
Check out this tutorial to lock Android phone using PIN code, Password or Pattern. Following the easy steps, you can secure your smartphone.
If you could not figure out yet, how to save and send GIF from your iPhone, then this tutorial is just for you.
Close You Have To Login
User:
Pass:
Login With »Login With TwitterLogin With Facebook