Paper 2022/959

MEGA: Malleable Encryption Goes Awry

Matilda Backendal, ETH Zurich
Miro Haller, ETH Zurich
Kenneth G. Paterson, ETH Zurich

MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data. MEGA claims to offer user-controlled, end-to-end security. This is achieved by having all data encryption and decryption operations done on MEGA clients, under the control of keys that are only available to those clients. This is intended to protect MEGA users from attacks by MEGA itself, or by adversaries who have taken control of MEGA’s infrastructure. We provide a detailed analysis of MEGA’s use of cryptography in such a malicious server setting. We present five distinct attacks against MEGA, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks. Four of the five attacks are eminently practical. They have all been responsibly disclosed to MEGA and remediation is underway. Taken together, our attacks highlight significant shortcomings in MEGA’s cryptographic architecture. We present immediately deployable countermeasures, as well as longer-term recommendations. We also provide a broader discussion of the challenges of cryptographic deployment at massive scale under strong threat models.

Available format(s)
Attacks and cryptanalysis
Publication info
Published elsewhere. 44rd IEEE Symposium on Security and Privacy, S&P 2023
Cryptanalysis Cloud storage RSA-CRT Bleichenbacher ECB mode Key compromise Plaintext recovery MEGA
Contact author(s)
mbackendal @ inf ethz ch
miro haller @ alumni ethz ch
kenny paterson @ inf ethz ch
2022-07-28: approved
2022-07-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Matilda Backendal and Miro Haller and Kenneth G. Paterson},
      title = {{MEGA}: Malleable Encryption Goes Awry},
      howpublished = {Cryptology ePrint Archive, Paper 2022/959},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.