MEGApwn - Bookmarklet to recover your secret MEGA master key
nzkoz.github.ioThe issue here is that MEGA presents itself as "the privacy company" and makes some very careful claims about encryption:
All files stored on MEGA are encrypted. All data transfers from and
to MEGA are encrypted. And while most cloud storage providers can
and do claim the same, MEGA is different – unlike the industry norm
where the cloud storage provider holds the decryption key, with
MEGA, you control the encryption, you hold the keys, and you decide
who you grant or deny access to your files, without requiring any
risky software installs. It’s all happening in your web browser!
All it takes is one court order in a country where MEGA operates ordering them to obtain the user-held decryption keys via the exact same method this bookmarklet demonstrates. MEGA doesn't even have to be involved. In the US, a National Security Letter to your ISP could lead to a man-in-the-middle attack with the help of an SSL certificate that the government orders a trusted CA to provide for MEGA's domain. At that point, all of MEGA's carefully-crafted claims about security are moot.
Come on, MEGA is not about secure storage but about Dotcom being able to tell any copyright enforcement party that he can't tell whether bits he store are illegal or not (and thus keep his business running).
If the government has compromised trusted CAs to do man-in-the-middle attacks, my thought is that they are only for 'intelligence' levels of actions, at least at this point in time. The government isn't going to tip its hand to foreign adversaries even to jail a few pedophiles (or other breakers of Federal law).
Maybe you missed it, but the DEA already uses the questionable NSA secret surveillance to find drug dealers, and constructs evidence against them to hide use of the surveillance.
Well, that's acceptable. It is the War on Drugs after all. We have no War on Pedophilia, so we can't use it to go after the pedophiles. /s
That's way too much trouble.
It's much easier to compromise the user's computer and install whatever type of "utilities" they need to recover whatever data they want.
Thought tptacek's link on Javascript crypto, linked to in the article (and sort of a motivator for the experiment), was well worth a read.
Okay, this has absolutely nothing to do specifically with javascript in the browser! This attack is applicable to ANY system where the application designer leaves sensitive data in a place that can trivially accessed by malicious applications if they jump through a few simplistic hoops!
Mega left user data in an essentially public place.
This JS code needs to be run on the MEGA domain, right? That's why it's a bookmarklet. Other sites don't have access to the local storage required to extract the key. It does mean that MEGA can get the key and send it back to the site if MEGA was compromised but ultimately the client code needs to get the key to decrypt the MEGA content.
Some way of pinning or signing JavaScript verified by a third party or browser would be useful here. If it could also note what percentage of users was using a particular JS version you'd be more likely to notice if a targeted malicious JS was being sent.
Isn't the issue more that Mega portray that they CAN'T see what files you're storing (plausible deniability regarding pirated content) while this proves that they actually could see your file contents if they wanted to?
Which in turn really means it's no more secure than, say, DropBox.
At least that's the impression I have regarding why this is somewhat important.
This didn't need proving. They send you JavaScript code, which you trust to encrypt your files. Without a built-in, well-audited, static browser mechanism no web service can ever be trusted with confidential data.
If the Feds decide to raid MEGA again they can simply modify their server side script to recognise your IP and serve you bad JavaScript from the MEGA domain, revealing your keys the next time you login. Nobody would be any the wiser.
Personally I'm waiting for JS crypto to take off big time and idiots to start using it from a CDN.
> Without a built-in, well-audited, static browser mechanism no web service can ever be trusted with confidential data
That's why mega has a separate app: https://mega.co.nz/#chrome
The article isn't proving anything, it's an example of how a known problem affects MEGA. It's saying encrypt your files first, because trusting MEGA (or anyone who uses that kind of encryption) is not enough.
You're right, this just highlights the nature of the site in a very effective way. The message here is nobody should be surprised.
Sure, but don't you think it's important that they make this clear?
So far they market heavily on the fact that it's secure when this is simply not true.
If you read their security page, they do say you shouldn't use it if you don't trust them. But that's about it for any warning that you're basically sitting there naked.
I know no security system is entirely secure, but they aren't generally targeting security minded folks, they're targeting the layman who reads what they say and then thinks they're secure due to their weasel worded security page.
Meh. Should every site using HTTPS make it clear that hundreds of CAs whom you've never heard of have the capability to perform a MITM?
At least with MEGA you know the security framework is something they've engineered themselves, so you know you have to trust them. With SSL/TLS you're deferring to authority simply because it's convenient.
You still have to trust SSL, in the case of MEGA, COMODO is their CA, and they appear to use 128bit RC4.
Of course, if you've not cleaned your trusted certificates, someone like CNic can just MTIM you.
It's more secure than DropBox in that someone seizing MEGA's data can't read it. A MEGA employee can't read your data. To read your data they need to capture the private key. This is possible by virtue of the fact that they're sending you the code to use the private key.
This isn't even exactly about JavaScript cryptography. This is the equivalent to building a program to read the TrueCrypt keys out of memory.
The problem here is "the machine doing the cryptography can not be trusted", not "it's JavaScript in a webbrowser", though of course thats also a fundamental problem.
The problem actually isn't "the machine doing the cryptography can not be trusted" - the machine is basically you, the user, obviously once you have your files they're on your computer. If you don't trust your computer, what use do you have for files in the first place.
Problem is actually "the computer that sends you code to run on your PC can't be trusted". Big difference..
While they are the same class of attacks they are fundamentally different in the level of complexity required.
There's no 20 line piece of code that any user can run to get your TrueCrypt key, you're looking at an OS exploit to get kernel access, plus the code to find the key, and/or freezing the computer in liquid nitrogen and then reading the contents of memory directly.
It also mean that any of your Chrome / Firefox extension can access it when you open mega.co.nz
I also submitted a bug to MEGA, haven't recieved a response yet.
The bug goes like this: https://mega.co.nz/#!your_file_here!decryption_key In Firefox when you have Javascript disabled via the option or using an add-on like NoScript it will redirect you to: https://mega.co.nz/?_escaped_fragment_=your_file_here!decryp...
So MEGA will recieve the HTTP Request with $_GET['_escaped_fragment_'] containing your decryption key. So if you send a file to a friend who happens to not have Javascript enabled for the website it will reveal the decryption key to MEGA.
To fix the issue all MEGA needs to do is add a double hash like: https://mega.co.nz/##!your_file_here!decryption_key this redirects to https://mega.co.nz/#?_escaped_fragment_=your_file_here!decry... keeping your decryption key safe even if they forget to use Javascript.
I hope they submitted this to the MEGA Vulnerability Rewards Program https://mega.co.nz/#blog_6
My guess is that it already has, and has been ruled a side-channel/social-engineering attack (requiring either a compromised browser or to run arbitrary javascript on the site).
Yea, he did. I think the point is more that MEGA can read the key, and your files without permission. This contradicts their claim "Your data is encrypted by you before upload to our system and therefore we do not and cannot access that content"
Their claim is true so long as they don't snatch the key from you when you access the MEGA website.
I disagree. Can't is "we are unable to", not "we could if we just changed a couple lines of code".
They can claim they won't, but can't is misleading to the point of fraud, in my opinion.
Shocker. Likewise, if you ever access SpiderOak from a browser you're equally hosed.
If you don't trust the server then you can't expect thin client apps served from said server to be trustworthy. It's bizarre to me that people don't get that.
Not really a "pwn" (I hate that word), it is nearly impossible for any website to create encrypted data which it cannot retrieve themselves with some client side code. If you would do gpg/pgp in pure javascript someone could alter the javascript to send back the private key. Same thing with any client side software that can update itself without permission. Sure, when you first access it it could be secure, but the second time, when the code-provider is compromised you have instantly lost your "private" keys.
They could AES your keys before storing it in local storage and prompt the user for this extra key whenever they need to access your keys. Otherwise your private keys are just stored in a sqlite file or some other implementation specific file that your browser created on your file system.
And how would you ensure that the passphrase isn't transmitted upstream by a modified js-client?
actually, using firefox and the recomended plugin prevents this snippet. So it is actually kind of fixed...
Here's the .js:
[edit] formatting was removed, so this is more readable:
Doesn't work in chrome though.
[edit2] Lol; I just noticed the article actually shows the .js :P I never got past the button and checking what it did :P
Interestingly, they recently adding a Content Security Policy, which I would have thought would have prevented this bookmarklet.
So, does this guy win the chunk of cash that Kim Dotcom promised, or what?
This bookmarklet is a type of phishing. Phishing and social engineering has been there all the time. You cannot prevent all that from a service provider point. Mega is a secure platform that operates on basis of user side encryption. The mega.co.nz javascript ui just provides a reference implementation. Browsers can be used easily to compromise user data once physical access is obtained.
If you look at Mega API and SDK, design wise it is very clean. You can build your own custom application by importing those libraries which are not prone to this kind of attacks.
What is MEGA?
File sharing site intended as a successor to Megaupload:
There's a link to MEGA's website, right at the top of the submitted story's webpage. You might enjoy reading before commenting.
Without Javascript, MEGA's website is a blank white page. Without knowing exactly what MEGA is, why should a sufficiently paranoid user allow js from it to run?
Hence my dilemma.
Even clicking that link, I had no idea what it was. There's just a big red button and a meaningless tagline about privacy. I think it's a fair question.