Software Developer Says Mega Master Keys Are Retrievable 136
hypnosec writes that software developer Michael Koziarski has released a bookmarklet
"which he claims has the ability to reveal Mega users' master key. Koziarski went on to claim that Mega has the ability to grab its users' keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a user's master key, but also gives away a user's RSA private key exponent. 'MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,' reads an explanation about the bookmarklet on its official page."
Re:Who trusts Mega anyway (Score:2, Interesting)
but most people realize that the guy is a self-aggrandizing scam artist and charlatan
This. The man is just the flip side of the copyright cartel, and they're both about the same thing: getting rich by leeching off the hard work and creativity of others.
Cue a hundred Defenders of the Faith claiming that this is well-engineered incompetence, not malice, and that a hole as wide as Uranus is actually not serious.
Re:of course they are retrievable (Score:2, Interesting)
not to troll but this may be a new tactic by Big Media or maybe the NSA to try and cripple Mega and others, I find it odd, (tho I do not make an conspiracy out of it) that the NSA is attacking owners of sites that refuse to give up there encryption, and the owners/creators are shutting there sites down.
It is possible and wouldn't be surprised to see someone or some sinister force at work here. But I am not sure if the creator of the exploit is supporting Mega, and trying to improve its security or trying to discredit the site.
Re: What's the big deal? (Score:1, Interesting)
i fixed this problem on my project using javascript closures. your private keys are decrypted with your password. password is never uploaded to the server. you can see that by looking at the post requests. the decrypted key is stored in a local variable for activities the rest of your session. closures are secure. no program outside the function scope can access the keys or password. its tricky to get right so maybe Mega can fix it soon.
Re:Who trusts Mega anyway (Score:5, Interesting)
All those other companies gave no illusion of being secure.
Neither did Mega. They explain these very risks and others right in the FAQ [mega.co.nz] and since they launched have using alternatives that do not involve trusting them. Providing a interface is a significant convenience, but you can't trust anything truly secret to a script someone else can remotely replace on a whim.