[aray]

I hope they submitted this to the MEGA Vulnerability Rewards Program https://mega.co.nz/#blog_6

My guess is that it already has, and has been ruled a side-channel/social-engineering attack (requiring either a compromised browser or to run arbitrary javascript on the site).

[nhm]

Yea, he did. I think the point is more that MEGA can read the key, and your files without permission. This contradicts their claim "Your data is encrypted by you before upload to our system and therefore we do not and cannot access that content"

[Mindless2112]

Their claim is true so long as they don't snatch the key from you when you access the MEGA website.

[icebraining]

I disagree. Can't is "we are unable to", not "we could if we just changed a couple lines of code".

They can claim they won't, but can't is misleading to the point of fraud, in my opinion.