MEGA is new, MEGA is cool, MEGA is the future – thats how Kim Schmitz alias Kim Dotcom promotes MEGA, his new cloud storage service. The fact that the new website is uber secure and totally raidproof is just
bullshit nonsense. It has been proven that Kim just told a shitload of trash regarding cryptography and encryption here, here, here, here and here for example. Several people have taken a look at MEGA’s security lately for example the encryption itself, the CDN and webserver-technologie (fail0verflow). I would like to comment on MEGA’s resellers who are in fact those guys who will keep MEGA’s cashflow going. Essentially one may think of the same encryption as provided by MEGA here – guess what – you’ll be proven wrong!
MEGA has found 10 resellers, one of them Instra and also investor of Kim Dotcoms new MEGA. We can assume that Kim and Instra are somewhat friends and most of the cash payed by users for premium accounts will go straight onto Kim Dotcoms banking accounts. Paying for MEGA is relativly easy, visit one of MEGA’s reseller websites, pay and receive a voucher and take this voucher onto MEGA’s website to become a premium member. Instra provides a dedicated payment page. All you have to do is giving them your details and pay using paypal – easy isnt it.
You’ll receive the voucher code afterwards and the ability to become a MEGA-Premium customer. One can expect the same security as within MEGA, simply because its about serious personal details. addresses, phone numbers, names ‘n all private stuff like that. Ok lets proof this to be wrong:
Fact 1: Instra fails hilariously on implementing Paypal’s payment API.
Implementing Paypal’s payment API is not that hard. Everyone who did it once or twice knows that you have to keep an eye on validating the payment twice and afterwards give out the product. Oh wait – Instra badly wants your payment IPs logged so what do they do – guess [...]. Ok here is the trick, Instra is using client-ip and x-forwarded-for Headers sent by the browser to attach your IP to the payments. What does everyone know if you work with variables given by the user? Exactly, escape them! Well, Instra doesnt and here we drive-by with sql-injection.
If you’re using Instra as a payment provider for MEGA (which you absolutely do not) the following pieces of you will get permanently logged by Instra:
- Your IP
- ID (MEGA-ID)
Further more all this information are also logged and visible to Instra by Paypal:
A nice shitload of details about you for a PRIVACY COMPANY isnt it ?
Fact 2: SQL Injection – The Best the best the best Sir!
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
available databases :
| Log |
| Vouchers |
| Column | Type |
| `CardName?` |
| Address | varchar(255) |
| Amount | decimal(10,2) |
| Country | varchar(50) |
| CustomerIP | vaychar(50) |
| CustomerSource | varchar(? |
| Email | varchar(255) |
| Gateway | varchar(50) |
| ID | bigint(20) |
| Issued | char(50) |
| IssueDate | datetime |
| MarketingEmails | int(10) unsigned |
| PaymentNumber | varchar(255) |
| Reseller | varchar(255) |
| Tax | float(10,2) |
| Updated | timestamp |
| Voucher | varchar(255) |
Yes Kim, you’ve found the right resellers and yes, MEGA is secure as hell. This is just proving one more time that MEGA miserably failed on securing customers data.
Thanks to the following media for coverage:
- One week MEGA - Inside MEGA - Tracking the Mega Platform for Developers and Press on MEGA crypto analysis by fail0verflow
- _sToRm_ on MEGA’s & Instra’s SQL-Injection fail
- MEGA mobile apps on MEGA crypto analysis by fail0verflow
- piA on MEGA mobile apps coming soon
- MEGA mobile apps on MEGA statement on cryptography