In addition to this vulnerability, Mega's creators claim that three cross-site scripting (XSS) vulnerabilities with a class III severity rating were addressed. Class III flaws are described as vulnerabilities that can be generally exploited to achieve remote code execution inside client browsers (cross-site scripting).
Mega did not publish the names of the researchers who discovered these flaws -- a somewhat unusual practice when compared to other bug bounty programs -- or how much money it paid for each one.
Based on discussions on Twitter, it seems that one of these three XSS vulnerabilities was reported by a security researcher named Frans Rosen. Rosen posted a screen shot of what appears to be his email communication with Mega, suggesting that he received a reward of ¬1,000 for his report.
A fourth XSS vulnerability was also addressed but this was rated as class II because it required the compromise of one of Mega's API (application programming interface) servers or a SSL/DNS man-in-the-middle attack to be successfully exploited.
Two low severity -- class I -- issues have also been fixed, the Mega creators said. They involved the failure to use HTTP Strict Transport Security (HSTS) and X-Frame-Options HTTP headers.
HSTS is a Web security policy mechanism that allows websites to force browsers to communicate over HTTPS (HTTP Secure) and reject the connection if it's redirected over plain, unencrypted, HTTP. The X-Frame-Options header can be used to specify whether a Web page can be loaded inside an iframe on another page and is used to protect against a type of attack known as clickjacking.
Both of these issues have been fixed and, in addition, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome, the Mega creators said.
No class V or class VI vulnerabilities have been reported so far. Class V corresponds to vulnerabilities that could result in remote code execution or access control violations on Mega's main servers and class VI is reserved for fundamental flaws in the service's cryptographic implementation.
The two cryptographic cracking challenges that Mega launched last week have not yet been solved, prompting Mega's creators to boast: "please check back in a few billion billion years."
"Whatever you think of Mega, its founder, its raison d'etre, its bombasticity and even the value of the bounties its offering, it nevertheless reflects to the company's credit that it came out with the bounties at all," said Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos antivirus, Monday in a blog post.