MEGA: Kim Dotcom corrects 7 faults and pays hackers
February 13th, 2013 - 04:16 am ET by Mathieu M.
Kim Dotcom, founder of MegaUpload and more recently the MEGA platform isn’t one to make empty promises. A week after having announced any hacker who managed to crack the sites security would be paid 10 000 Euros, numerous rewards have now been handed out.
The rewards system launched by Mega is aiming to reward anyone that can demonstrate a security fault on the site has obviously so far been successful as numerous faults have already been corrected since the sites launch.
Last week, Kim Dotcom launched a challenge to hackers, asking them to attack MEGA’s security and offering rewards of up to 10 000€ to anyone who successfully cracks the sites security in full.
7 faults have now been corrected thanks to this operation, with rewards having been distributed to hackers for their discoveries.
Mega hasn’t announced how much has been paid out in the first week though, or how many faults have been submitted for inspection. Kim Dotcom has nevertheless encouraged hackers to continue to test the sites security so that even the most minor fault can be corrected.
Mega has also published a ranking of vulnerabilities depending on their potential impact and access that could be gained to user’s private information on the site. The ranking is in 6 stages:
Class VI: Critical fault that is exploitable in the encryption system.
Class V: Remote code execution in MEGA’s server core (API/DB/Root Clusters) or major breaches in the access control.
Class IV: A fault in the encryption system that is only exploitable after the server’s infrastructure has been compromised.
Class III: Access control that can be remotely executed from a browser (cross-site scripting)
Class II: Cross-site scripting exploitable after having compromised the API server or after having conducted a "man-in-the-middle" type attack (for example the use of a fake SSL+ certificate + a DNS/BGP manipulation)
Class I: Any theory or scenario that can have a limited impact on the site.
In the first week since the opening of the program, no Class IV or V fault has been demonstrated, with the 7 faults put forward having been immediately corrected by the sites security experts.
On their site, MEGA hasn’t yet communicated how much has been paid out, although The Hacker News has communicated on their Twitter feed that one of the hackers was paid 1000€ for having discovered a Class III fault.
Besides this, while Kim Dotcom seems to respect his engagements in terms of the rewards paid, the entrepreneur doesn’t risk a lot as the 10000€ reward announced would only be paid out if a fault was discovered in the 256 Bit SSL encryption. If a fault is discovered in the SSL encryption, it is a good bet that it won’t be difficult to find anyone more generous than Kim Dotcom, as this is the encryption system used in various fields.