MEGApwn - Bookmarklet to recover your secret MEGA master key

The issue here is that MEGA presents itself as &quot;the privacy company&quot; and makes some very careful claims about encryption:<p><pre><code> All files stored on MEGA are encrypted. All data transfers from and to MEGA are encrypted. And while most cloud storage providers can and do claim the same, MEGA is different – unlike the industry norm where the cloud storage provider holds the decryption key, with MEGA, you control the encryption, you hold the keys, and you decide who you grant or deny access to your files, without requiring any risky software installs. It’s all happening in your web browser! </code></pre> It&#x27;s true that everything is encrypted. And it&#x27;s true that many cloud storage providers hold the decryption keys. It&#x27;s also true that with MEGA, you hold the keys. What they carefully avoid claiming is that MEGA is unable to read the decryption keys.<p>All it takes is one court order in a country where MEGA operates ordering them to obtain the user-held decryption keys via the exact same method this bookmarklet demonstrates. MEGA doesn&#x27;t even have to be involved. In the US, a National Security Letter to your ISP could lead to a man-in-the-middle attack with the help of an SSL certificate that the government orders a trusted CA to provide for MEGA&#x27;s domain. At that point, all of MEGA&#x27;s carefully-crafted claims about security are moot.

Thought tptacek&#x27;s link on Javascript crypto, linked to in the article (and sort of a motivator for the experiment), was well worth a read.<p><a href="http://www.matasano.com/articles/javascript-cryptography/" rel="nofollow">http:&#x2F;&#x2F;www.matasano.com&#x2F;articles&#x2F;javascript-cryptography&#x2F;</a>

This JS code needs to be run on the MEGA domain, right? That&#x27;s why it&#x27;s a bookmarklet. Other sites don&#x27;t have access to the local storage required to extract the key. It does mean that MEGA can get the key and send it back to the site if MEGA was compromised but ultimately the client code needs to get the key to decrypt the MEGA content.<p>Some way of pinning or signing JavaScript verified by a third party or browser would be useful here. If it could also note what percentage of users was using a particular JS version you&#x27;d be more likely to notice if a targeted malicious JS was being sent.

This isn&#x27;t even exactly about JavaScript cryptography. This is the equivalent to building a program to read the TrueCrypt keys out of memory.<p>The problem here is &quot;the machine doing the cryptography can not be trusted&quot;, not &quot;it&#x27;s JavaScript in a webbrowser&quot;, though of course thats also a fundamental problem.

I also submitted a bug to MEGA, haven&#x27;t recieved a response yet.<p>The bug goes like this: <a href="https://mega.co.nz/#!your_file_here!decryption_key" rel="nofollow">https:&#x2F;&#x2F;mega.co.nz&#x2F;#!your_file_here!decryption_key</a> In Firefox when you have Javascript disabled via the option or using an add-on like NoScript it will redirect you to: <a href="https://mega.co.nz/?_escaped_fragment_=your_file_here!decryption_key" rel="nofollow">https:&#x2F;&#x2F;mega.co.nz&#x2F;?_escaped_fragment_=your_file_here!decryp...</a><p>So MEGA will recieve the HTTP Request with $_GET[&#x27;_escaped_fragment_&#x27;] containing your decryption key. So if you send a file to a friend who happens to not have Javascript enabled for the website it will reveal the decryption key to MEGA.<p>To fix the issue all MEGA needs to do is add a double hash like: <a href="https://mega.co.nz/##!your_file_here!decryption_key" rel="nofollow">https:&#x2F;&#x2F;mega.co.nz&#x2F;##!your_file_here!decryption_key</a> this redirects to <a href="https://mega.co.nz/#?_escaped_fragment_=your_file_here!decryption_key" rel="nofollow">https:&#x2F;&#x2F;mega.co.nz&#x2F;#?_escaped_fragment_=your_file_here!decry...</a> keeping your decryption key safe even if they forget to use Javascript.

I hope they submitted this to the MEGA Vulnerability Rewards Program <a href="https://mega.co.nz/#blog_6" rel="nofollow">https:&#x2F;&#x2F;mega.co.nz&#x2F;#blog_6</a><p>My guess is that it already has, and has been ruled a side-channel&#x2F;social-engineering attack (requiring either a compromised browser or to run arbitrary javascript on the site).

Shocker. Likewise, if you ever access SpiderOak from a browser you&#x27;re equally hosed.<p>If you don&#x27;t trust the server then you can&#x27;t expect thin client apps served from said server to be trustworthy. It&#x27;s bizarre to me that people don&#x27;t get that.

Not really a &quot;pwn&quot; (I hate that word), it is nearly impossible for any website to create encrypted data which it cannot retrieve themselves with some client side code. If you would do gpg&#x2F;pgp in pure javascript someone could alter the javascript to send back the private key. Same thing with any client side software that can update itself without permission. Sure, when you first access it it could be secure, but the second time, when the code-provider is compromised you have instantly lost your &quot;private&quot; keys.

They could AES your keys before storing it in local storage and prompt the user for this extra key whenever they need to access your keys. Otherwise your private keys are just stored in a sqlite file or some other implementation specific file that your browser created on your file system.

actually, using firefox and the recomended plugin prevents this snippet. So it is actually kind of fixed...

Here&#x27;s the .js:<p>[edit] formatting was removed, so this is more readable:<p><a href="http://jsfiddle.net/QC9mz/" rel="nofollow">http:&#x2F;&#x2F;jsfiddle.net&#x2F;QC9mz&#x2F;</a><p>Doesn&#x27;t work in chrome though.<p>[edit2] Lol; I just noticed the article actually shows the .js :P I never got past the button and checking what it did :P

Interestingly, they recently adding a Content Security Policy, which I would have thought would have prevented this bookmarklet.<p><a href="https://mega.co.nz/#blog_19" rel="nofollow">https:&#x2F;&#x2F;mega.co.nz&#x2F;#blog_19</a>

So, does this guy win the chunk of cash that Kim Dotcom promised, or what?

This bookmarklet is a type of phishing. Phishing and social engineering has been there all the time. You cannot prevent all that from a service provider point. Mega is a secure platform that operates on basis of user side encryption. The mega.co.nz javascript ui just provides a reference implementation. Browsers can be used easily to compromise user data once physical access is obtained.<p>If you look at Mega API and SDK, design wise it is very clean. You can build your own custom application by importing those libraries which are not prone to this kind of attacks.

What is MEGA?