Encryption of Dotcom’s Mega easily circumvented – tool released

Mega, the new cloud hosting service of Kim Dotcom (found of MegaUpload), doesn’t seem to be as secure as thought. The service encrypts files in the browser using javascript before they are uploaded. Once they arrive on the servers of Mega, only the owner of the file is able to decrypt it. The benefit of this is that Mega doesn’t know what is stored on their servers and can’t be held responsible for it.  However hacker Steve Thomas has posted a tool on his website that is able to reveal the password for the service.

To be able to do so it’s necessary to obtain the activation mail which Mega sends out on account creation. This contains an activation key which is a hash of the password and Steve’s software seems to be able to decrypt it. This means that as soon as someone is able to obtain your activation mail, they can also access your Mega account. The CTO of Mega has responded that according to him the security concerns are overstated and that  Mega is trying to find ways to allow users to change the password used to encrypt the encryption key.