

Viber, the messaging app, made a desktop version a while back, which suffered from, a similar issue. Ask for your current password before changing it into a new one.

Of course, files being transferred when the app locks, should finish transferring or at least pause and not get cancelled mid-way through. While in lock-mode, the app could still apply transfers, or not, depending on user choice, but consider the following:Ī) If file-transfers are allowed during lock-mode, the attacker could replace / delete the cloud-files and get the newly synced ones, without having to gain access on the account.ī) If the file-transfers are not allowed, the user would have to enter the password each time he wanted to sync his files. The user could also choose the app to lock automatically every a number of minutes. The first time the user opens the app, either starts it or just opens it, if the app start automatically on logon), he would have to enter a password. Have an auto-locker, just like in the Android-app.In order to limit the exposure in the the above security issue, MEGAsync-Desktop could: The attacker could just browse though / replace / delete ALL of your cloud files by opening them from the app's menu: "three dots -> Cloud Drive"! This can be done even if the user has the "MEGAsync browser extention".Īnother critical security issue is that the attacker could also simply change your password, without needing to know your current one, as the app does not asks for that! A person can open your PC (when he knows your password or you don't have one or it's a shared PC) and you have automatic-login for your MEGAsync app.Let' s say you have your PC open, and you have to leave it for a few minutes and leave it unlocked (either you forget, or it's an emergency which leaves you no time for that).

Hi, I would like to report a security issue with the Desktop app and suggest a solution.Īn attacker accesses ALL of your cloud files (even those not synced with your PC!!) and/or changes your password.
