Software Developer Says Mega Master Keys Are Retrievable 136
hypnosec writes that software developer Michael Koziarski has released a bookmarklet
"which he claims has the ability to reveal Mega users' master key. Koziarski went on to claim that Mega has the ability to grab its users' keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a user's master key, but also gives away a user's RSA private key exponent. 'MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,' reads an explanation about the bookmarklet on its official page."
what's odd about this? Your key is local (Score:5, Informative)
That's how you want it to be. It's zero-knowledge from MEGA's point of view. You generate your own key, keep it and use it to decrypt and encrypt stuff.
So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.
His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them. This is of course possible, but we have no way to know whether they've done it. If the javascript can access your key to encrypt/decrypt stuff, then it is also possible it can squirrel it away somewhere.
Re:JavaScript not secure? (Score:5, Informative)
yeah something you run on your browser.. ..that gives you access to the files.. CAN GIVE YOU ACCESS TO THE FILES.
wow what a shock! because in this case, MEGA can alter the js so that they get the keys. how this is is news I don't really get. it's just common sense.
the real question is, are there 3rd party mega clients that are not javascript or subject to changing without notice..
Re:what's odd about this? Your key is local (Score:4, Informative)
As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else. It sounds like there is some client-side encryption that takes place before sending files, and that encryption code presumably comes from Mega, and that encryption code uses your private key, so of course the encryption code has access to the key. How could it encrypt otherwise? The browser doesn't natively support that process, that is what would have to change in order for this to not be an issue. The promise by Mega not to store your keys is the only thing that users have, because if they are running Mega's encryption code client-side then there is nothing stopping Mega from getting your keys, or unencrypted data, or whatever else, other than their promise not to.
NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.
Again, the onus is on Mega to stop that from happening, but they can only protect their own servers. If someone wants to intercept and decrypt your traffic and change the data to add new code (a man-in-the-middle attack), then that is still a threat. It's always going to be a threat as long as organizations like the NSA are capable of decrypting that SSL traffic.
Otherwise, this is not an issue that has a solution with today's browser implementations. Maybe Mega can produce their own version of Firefox or a Webkit-based browser that will natively implement their encryption without exposing the keys to Javascript, but then you would have to trust that software, don't you? It's all about trust. If you don't trust Mega, then don't use it.
Re:what's odd about this? Your key is local (Score:4, Informative)
As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else.
At present, this is true. There's a W3C WebCrypto spec in progress (being developed by Google and Mozilla, IIRC) that will change it, though. It will not only provide native implementations of ciphers accessible from Javascript (rather than performing expensive calculations in Javascript), but will also provide a client-side key store so Javascript code can create and use keys without ever seeing their value, and hence be unable to send the values anywhere.
I think the Javascript code would still have access to the decrypted data.
Caveat: It's been a while since I looked at the in-progress spec. It may have changed, and I guarantee my memory is faulty in at least some respect.
Re:Who trusts Mega anyway (Score:4, Informative)
Proof-reading fail. Sorry :(
The missing word was "recommended". They have always recommended alternatives that do not involve trusting them. Here's an example from that same FAQ page:
What if I don't trust you? Is it still safe for me to use MEGA?
If you don't trust us, you cannot run any code provided by us, which precludes opening MEGA in your browser and entering your login credentials. However, due to MEGA's end-to-end encryption paradigm, you can safely use client applications written by someone you trust.