Hi,

I don't know what exactly mega did to patch the security flaws but whatever mega did to patch the flaws has now made it not possible for megatools to "see" folders that has a link that was generated after the security was upgraded (the links can either be generated using a web browser or using megacmd). Folders that had its links removed remains invisible. The contents of such folders are also essentially invisible.

For an example, see this account:
Here's the file structure printed with megacmd (using mega-tree)
Cloud Storage
├── A Folder that has its link removed
│   └── megatools.7z
├── A Folder with LInks Generated After the Security Was Upgraded
│   └── megatools.7z
├── A folder with no links generated
│   └── Another folder without links
│       └── megatools.7z
├── A File That Has A Link.7z
└── A File With No Links.7z

Here's what megatools ls prints out (using megatools ls -u vpvqdo8mox4aloiye@guerrillamailblock.com -p 2ULeOLCVAXvgcsX31DrKu --reload)
WARNING: Skipping import of a key n3gDBABa because it's authentication failed
WARNING: Skipping import of a key brgjFaiY because it's authentication failed
WARNING: Skipping FS node n3gDBABa because node key wasn't found
WARNING: Skipping FS node brgjFaiY because node key wasn't found
WARNING: Skipping FS node jm41FSoB because node key wasn't found
WARNING: Skipping FS node Ci5RwQZD because node key wasn't found
/Contacts
/Inbox
/Root
/Root/A File That Has A Link.7z
/Root/A File With No Links.7z
/Root/A folder with no links generated
/Root/A folder with no links generated/Another folder without links
/Root/A folder with no links generated/Another folder without links/megatools.7z
/Trash

As you can see, megatools doesn't list any folders that has a link (or once had a link) nor does it list the contents of those folders.

Consequently, if you were to try to upload another file to one of the "invisible" folders with megatools put, it won't be able to upload it because as far as megatools is concerned, the folder doesn't exist.

Here's the output for this: megatools put -u vpvqdo8mox4aloiye@guerrillamailblock.com -p 2ULeOLCVAXvgcsX31DrKu "C:\Things to\Upload\megatools_2.7z" --path "/Root/A Folder that has its link removed/megatools_2.7z" --reload

WARNING: Skipping import of a key n3gDBABa because it's authentication failed
WARNING: Skipping import of a key brgjFaiY because it's authentication failed
WARNING: Skipping FS node n3gDBABa because node key wasn't found
WARNING: Skipping FS node brgjFaiY because node key wasn't found
WARNING: Skipping FS node jm41FSoB because node key wasn't found
WARNING: Skipping FS node Ci5RwQZD because node key wasn't found
ERROR: Upload failed for 'C:\Things to\Upload\megatools_2.7z': Parent directory doesn't exist: /Root/A Folder that has its link removed

If you try to create a folder named "A Folder that has its link removed", megatools will create a duplicate folder (not done in this mega account). Basically there would be two folders with identical names in /Root/.

For what it's worth, the downloading of files/folders from megalinks still work though. Registering and verifying new mega accounts also still work. 




Regards,
Terri

Sent with Proton Mail secure email.


------- Original Message -------
On Wednesday, March 15th, 2023 at 10:49 AM, Ondřej Jirman megatools@megous.com wrote:



> Hi,
> 
> On Tue, Mar 14, 2023 at 05:50:24AM +0000, Terri wrote:
> 
> > Hi,
> > 
> > Not sure if you're aware that mega.nz recently released a security upgrade
> > that has a major effect on megatools' ability to function as intended.
> > A little info about the security upgrade here:
> > https://blog.mega.io/e2ee-security-update/.
> > 
> > Here's the relevant portions:
> > 
> > > Upgrade path: How does it work?
> > > As long as you use only old (vulnerable) software versions, nothing will
> > > change for you. But once your account touches a new software version for the
> > > first time, it will be upgraded (you may see a message with details when
> > > that happens). The new version will only be able to establish and accept
> > > shared folders with and from new versions, and mutual public key
> > > verification is mandatory. Existing shared folders will continue to work.
> > > New shared folders established between old versions on an upgraded account
> > > will be invisible to new versions and vice versa, so be sure to upgrade
> > > before creating new shared folders.
> > > 
> > > Third-Party Client Software
> > > Client software based on the MEGA SDK will need to be upgraded to the latest
> > > SDK version as soon as possible...
> 
> I guess they added a way to store out of band fingreprint verification result in
> the contact list, or whatnot?
> 
> Anyway, I have not used mega.nz in the last 7 years, so unless someone sends
> patches to fix this, shared folders will not work with megatools. Megatools
> didn't support creating shared folders anyway.
> 
> Did this also break downloading from random exported folder links you can find
> on the net? There's nothing to validate there, since you don't have any
> relationship with the uploader, and everything needed for verification
> should be in URL. So none of the MITM concerns from the article apply there.
> 
> kind regards,
> o.
> 
> > The security upgrade has now made it not possible for megatools to access files and folders that are protected with the new security. It essentially looks like the files and/or folders don't exist in the mega account. For example, on accounts that have a mix of folders with share links generated before and after the security was upgraded, running megatools ls -u myemail -p mypassword --reloaddoesn't show the folders with the new links nor their contents. Only the folders (along with their contents) that is still using the old security (links generated before the security was upgraded) is listed. Also, these types of errors occur:
> > WARNING: Skipping import of a key 8F8C0KbY because it's authentication failed
> > 
> > ** (megatools ls:7144): CRITICAL **: 12:29:04.359: b64_aes128_decrypt: assertion 'key != NULL' failedWARNING: Skipping FS node 8F8C0KbY because key can't be decrypted IX_Ry4Zl42VYX3MjOhSr7A
> > 
> > Running megatools df -u email -p password --reload show these types of errors:
> > WARNING: Skipping import of a key 8F8C0KbY because it's authentication failed
> > WARNING: Skipping import of a key cQ9gDQTI because it's authentication failed
> > 
> > ** (megatools df:12780): CRITICAL **: 14:59:35.610: b64_aes128_decrypt: assertion 'key != NULL' failedWARNING: Skipping FS node 8F8C0KbY because key can't be decrypted IX_Ry4Zl42VYX3MjOhSr7A
> > 
> > Please feel free to contact me if you have any questions.
> > 
> > Thanks,
> > T