MEGA: Malleable Encryption Goes Awry

Published in IEEE Symposium on Security and Privacy, 2023

Recommended citation: Matilda Backendal, Miro Haller and Kenneth G. Paterson. (2023). "MEGA: Malleable Encryption Goes Awry" 44th IEEE Symposium on Security and Privacy.

MEGA is a leading cloud storage platform with more than 250 million users and 1000 Petabytes of stored data, which aims to achieve user-controlled end-to-end encryption. We show that MEGA’s system does not protect its users against a malicious server and present five distinct attacks, which together allow for a full compromise of the confidentiality of user files. Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client. We built proof-of-concept versions of all the attacks, showcasing their practicality and exploitability.

Accessible Digest of Results

On, we provide an accessible overview of our attacks. The website includes videos of our proof-of-concept implementations of the attacks and links to related information as well as the attack source code.


We provide an in-depth technical discussion in our paper.

There are two versions:

  • Conference version: to be published at IEEE S&P 2023
  • Extended version: available on eprint (including an extended discussion of the countermeasures we proposed to MEGA).