
MEGApwn - Bookmarklet to recover your secret MEGA master key - nhm
http://nzkoz.github.io/MegaPWN/
======
biot
The issue here is that MEGA presents itself as "the privacy company" and makes
some very careful claims about encryption:

    
    
      All files stored on MEGA are encrypted. All data transfers from and
      to MEGA are encrypted. And while most cloud storage providers can
      and do claim the same, MEGA is different – unlike the industry norm
      where the cloud storage provider holds the decryption key, with
      MEGA, you control the encryption, you hold the keys, and you decide
      who you grant or deny access to your files, without requiring any
      risky software installs. It’s all happening in your web browser!
    

It's true that everything is encrypted. And it's true that many cloud storage
providers hold the decryption keys. It's also true that with MEGA, you hold
the keys. What they carefully avoid claiming is that MEGA is unable to read
the decryption keys.

All it takes is one court order in a country where MEGA operates ordering them
to obtain the user-held decryption keys via the exact same method this
bookmarklet demonstrates. MEGA doesn't even have to be involved. In the US, a
National Security Letter to your ISP could lead to a man-in-the-middle attack
with the help of an SSL certificate that the government orders a trusted CA to
provide for MEGA's domain. At that point, all of MEGA's carefully-crafted
claims about security are moot.

~~~
pyre
If the government _has_ compromised trusted CAs to do man-in-the-middle
attacks, my thought is that they are only for 'intelligence' levels of
actions, at least at this point in time. The government isn't going to tip its
hand to foreign adversaries even to jail a few pedophiles (or other breakers
of Federal law).

~~~
andrewljohnson
Maybe you missed it, but the DEA already uses the questionable NSA secret
surveillance to find drug dealers, and constructs evidence against them to
hide use of the surveillance.

~~~
pyre
Well, that's acceptable. It is the _War_ on Drugs after all. We have no _War_
on Pedophilia, so we can't use it to go after the pedophiles. /s

------
austinz
Thought tptacek's link on Javascript crypto, linked to in the article (and
sort of a motivator for the experiment), was well worth a read.

[http://www.matasano.com/articles/javascript-
cryptography/](http://www.matasano.com/articles/javascript-cryptography/)

~~~
Everlag
Okay, this has absolutely nothing to do specifically with javascript in the
browser! This attack is applicable to ANY system where the application
designer leaves sensitive data in a place that can trivially accessed by
malicious applications if they jump through a few simplistic hoops!

Mega left user data in an essentially public place.

------
doublec
This JS code needs to be run on the MEGA domain, right? That's why it's a
bookmarklet. Other sites don't have access to the local storage required to
extract the key. It does mean that MEGA can get the key and send it back to
the site if MEGA was compromised but ultimately the client code needs to get
the key to decrypt the MEGA content.

Some way of pinning or signing JavaScript verified by a third party or browser
would be useful here. If it could also note what percentage of users was using
a particular JS version you'd be more likely to notice if a targeted malicious
JS was being sent.

~~~
traskjd
Isn't the issue more that Mega portray that they CAN'T see what files you're
storing (plausible deniability regarding pirated content) while this proves
that they actually could see your file contents if they wanted to?

Which in turn really means it's no more secure than, say, DropBox.

At least that's the impression I have regarding why this is somewhat
important.

~~~
nly
This didn't need proving. They send you JavaScript code, which you trust to
encrypt your files. Without a built-in, well-audited, static browser mechanism
_no web service can ever be trusted with confidential data_.

If the Feds decide to raid MEGA again they can simply modify their server side
script to recognise your IP and serve you bad JavaScript from the MEGA domain,
revealing your keys the next time you login. Nobody would be any the wiser.

Personally I'm waiting for JS crypto to take off big time and idiots to start
using it from a CDN.

~~~
nhm
The article isn't _proving_ anything, it's an example of how a known problem
affects MEGA. It's saying encrypt your files first, because trusting MEGA (or
anyone who uses that kind of encryption) is not enough.

~~~
nly
You're right, this just highlights the nature of the site in a very effective
way. The message here is nobody should be surprised.

------
revelation
This isn't even exactly about JavaScript cryptography. This is the equivalent
to building a program to read the TrueCrypt keys out of memory.

The problem here is "the machine doing the cryptography can not be trusted",
not "it's JavaScript in a webbrowser", though of course thats also a
fundamental problem.

~~~
fleitz
While they are the same class of attacks they are fundamentally different in
the level of complexity required.

There's no 20 line piece of code that any user can run to get your TrueCrypt
key, you're looking at an OS exploit to get kernel access, plus the code to
find the key, and/or freezing the computer in liquid nitrogen and then reading
the contents of memory directly.

~~~
byroot
It also mean that any of your Chrome / Firefox extension can access it when
you open mega.co.nz

------
bug0303
I also submitted a bug to MEGA, haven't recieved a response yet.

The bug goes like this:
[https://mega.co.nz/#!your_file_here!decryption_key](https://mega.co.nz/#!your_file_here!decryption_key)
In Firefox when you have Javascript disabled via the option or using an add-on
like NoScript it will redirect you to:
[https://mega.co.nz/?_escaped_fragment_=your_file_here!decryp...](https://mega.co.nz/?_escaped_fragment_=your_file_here!decryption_key)

So MEGA will recieve the HTTP Request with $_GET['_escaped_fragment_']
containing your decryption key. So if you send a file to a friend who happens
to not have Javascript enabled for the website it will reveal the decryption
key to MEGA.

To fix the issue all MEGA needs to do is add a double hash like:
[https://mega.co.nz/##!your_file_here!decryption_key](https://mega.co.nz/##!your_file_here!decryption_key)
this redirects to
[https://mega.co.nz/#?_escaped_fragment_=your_file_here!decry...](https://mega.co.nz/#?_escaped_fragment_=your_file_here!decryption_key)
keeping your decryption key safe even if they forget to use Javascript.

------
aray
I hope they submitted this to the MEGA Vulnerability Rewards Program
[https://mega.co.nz/#blog_6](https://mega.co.nz/#blog_6)

My guess is that it already has, and has been ruled a side-channel/social-
engineering attack (requiring either a compromised browser or to run arbitrary
javascript on the site).

~~~
nhm
Yea, he did. I think the point is more that MEGA can read the key, and your
files without permission. This contradicts their claim "Your data is encrypted
by you before upload to our system and therefore we do not and cannot access
that content"

~~~
Mindless2112
Their claim is true so long as they don't snatch the key from you when you
access the MEGA website.

~~~
icebraining
I disagree. Can't is "we are unable to", not "we could if we just changed a
couple lines of code".

They can claim they won't, but can't is misleading to the point of fraud, in
my opinion.

------
SCdF
Shocker. Likewise, if you ever access SpiderOak from a browser you're equally
hosed.

If you don't trust the server then you can't expect thin client apps served
from said server to be trustworthy. It's bizarre to me that people don't get
that.

------
gnur
Not really a "pwn" (I hate that word), it is nearly impossible for any website
to create encrypted data which it cannot retrieve themselves with some client
side code. If you would do gpg/pgp in pure javascript someone could alter the
javascript to send back the private key. Same thing with any client side
software that can update itself without permission. Sure, when you first
access it it could be secure, but the second time, when the code-provider is
compromised you have instantly lost your "private" keys.

------
snissn
They could AES your keys before storing it in local storage and prompt the
user for this extra key whenever they need to access your keys. Otherwise your
private keys are just stored in a sqlite file or some other implementation
specific file that your browser created on your file system.

~~~
e12e
And how would you ensure that the passphrase isn't transmitted upstream by a
modified js-client?

------
liketherest
actually, using firefox and the recomended plugin prevents this snippet. So it
is actually kind of fixed...

------
NKCSS
Here's the .js:

[edit] formatting was removed, so this is more readable:

[http://jsfiddle.net/QC9mz/](http://jsfiddle.net/QC9mz/)

Doesn't work in chrome though.

[edit2] Lol; I just noticed the article actually shows the .js :P I never got
past the button and checking what it did :P

------
snikch
Interestingly, they recently adding a Content Security Policy, which I would
have thought would have prevented this bookmarklet.

[https://mega.co.nz/#blog_19](https://mega.co.nz/#blog_19)

------
oinksoft
So, does this guy win the chunk of cash that Kim Dotcom promised, or what?

------
slynux
This bookmarklet is a type of phishing. Phishing and social engineering has
been there all the time. You cannot prevent all that from a service provider
point. Mega is a secure platform that operates on basis of user side
encryption. The mega.co.nz javascript ui just provides a reference
implementation. Browsers can be used easily to compromise user data once
physical access is obtained.

If you look at Mega API and SDK, design wise it is very clean. You can build
your own custom application by importing those libraries which are not prone
to this kind of attacks.

------
tomrod
What is MEGA?

~~~
NotHereNotThere
There's a link to MEGA's website, right at the top of the submitted story's
webpage. You might enjoy reading before commenting.

~~~
alcari
Without Javascript, MEGA's website is a blank white page. Without knowing
exactly what MEGA is, why should a sufficiently paranoid user allow js from it
to run?

~~~
tomrod
Hence my dilemma.

