Monday, May 16, 2022

Mega Session bug: Cloud Drive without an account

We’ve been contacted by HD_Breaker, a pen-tester and co-manager of, with information on a security flaw in Kim Dotcom’s newly launched site,

HD_Breacker also provided a point of concept (POC) for this bug.

To carry out this exploit, you need to go to the registration page of Mega’s site, put in false info, and click register.

Then, you will be on a page that states registration successful and you will see a button in the top right corner stating “Abort Session”.  Now, press the back button on your web browser and you should be in a cloud drive.

With this bug you can also generate your own encrypted links, and have all the abilities without an account.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …