Want to 10,000 Euros by sitting at your computer for a few hours? Well, there is a change. The latest cloud file storage and sync service, Mega, was reported to have very low security standards for the files it hosted. Ars Techinca and Forbes were among the first to realize and report this. So, the founder of Mega, Kim Dotcom, took it seriously and is now hosting a challenge in which the winner can win up to 10,000 Euros, or roughly 13,580 USD.
So what is the challenge? Well, the challenge is to discover bugs in the security and the design of the whole system behind Mega. For each security or design flaw you report, you get paid depending on the intensity and the seriousness of the flaw that you reported. The following tweet from Kim Dotcom made it official:
But what kind of bugs can you report to be qualified for this awesome contest? Well, the company has actually taken care of that by releasing a list:
- Remote code execution on any of our servers (including SQL injection)
- Remote code execution on any client browser (e.g., through XSS)
- Any issue that breaks our cryptographic security model, allowing unauthorized remote access to or manipulation of keys or data
- Any issue that bypasses access control, allowing unauthorized overwriting/destruction of keys or user data
- Any issue that jeopardizes an account’s data in case the associated e-mail address is compromised
As part of this program, Mega has presented three special scenarios for hackers to try and solve:
- Compromised user storage node (*.userstorage.mega.co.nz): Let’s assume that you have gained access to one of our storage nodes and are able to manipulate it freely. You know that your victim is about to download a particular file residing on that node, but you don’t have its key. Can you manipulate its content so that it still downloads without error?
- Compromised core infrastructure (*.api.mega.co.nz): This is the most extreme scenario. Let’s assume that you have compromised our operational heart, the API servers. Can you trick API clients into surrendering usable keys for files in accounts that do not have any outgoing shares in them?
Interested? Well, if you succeed in finding out any bugs, you can report it to firstname.lastname@example.org.
Source: The Next Web