Kim Dotcom offers Mega reward to would-be hackers

Controversial file-sharing site promises €10,000 to anyone who can break through its security.

Security keyboard

Newly-launched file sharing service Mega is offering a reward of up to 10,000 to anyone who finds a previously unknown security bug or design flaw on the site.

The challenge, which was announced through the site's blog, was launched in response to a number of security concerns, particularly surrounding Mega's use of encryption.

Just days after going live, the site was chastised by cryptographers for using what they allege were flimsy security protocols and making nonsensical claims.

A tool was also set up by security researcher Steve Thomas that can extract users' passwords from the account confirmation email sent by Mega at the time of signup.

Mega only gave the link so they could say 'see, no one can crack this'.

Mega first responded with a blog claiming it was "not too impressed with the results [of attempts to dismantle its crypto architecture]", but on 2 February issued the new bug identification challenge with financial incentives.

The organisation has outlined several qualifying types of bug: remote execution code of any of its servers or on any client browser, and any issue that breaks Mega's cryptographic security model.

There are also four special scenarios: compromising a static CDN node, compromising a user storage node, compromising core infrastructure or, for the top prize, using brute force to decrypt a published file or to send the password encoded in a published signup confirmation link.

Mega said the challenge has been issued to improve its security, but Thomas claims it is a bluff.

At the top of the page hosting his MegaCracker tool, Thomas has left a message that states: "If you are here to crack Mega's confirmation link challenge, you should know that it will cost more in energy usage than they will pay you. Since they only gave the link so that they could say see no one can crack this'.

"**IF** it is even remotely crackable, it is a sentence or at least eight random words. My guess is it is output from /dev/urandom or someone smacking the keyboard for a minute."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021