Software Developer Says Mega Master Keys Are Retrievable

hypnosec writes that software developer Michael Koziarski has released a bookmarklet "which he claims has the ability to reveal Mega users' master key. Koziarski went on to claim that Mega has the ability to grab its users' keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a user's master key, but also gives away a user's RSA private key exponent. 'MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,' reads an explanation about the bookmarklet on its official page."

Who trusts Mega anyway

I don't think there are many people who would trust Mega anyway. I mean, we all pretty much feel the US (and the New Zealand) governments overreached and broke laws when they begin prosecuting Kim DotCom, but most people realize that the guy is a self-aggrandizing scam artist and charlatan. Does anyone actually trust his stuff?

Re:Who trusts Mega anyway

[Joining+Yet+Again]

but most people realize that the guy is a self-aggrandizing scam artist and charlatan

This. The man is just the flip side of the copyright cartel, and they're both about the same thing: getting rich by leeching off the hard work and creativity of others.

Cue a hundred Defenders of the Faith claiming that this is well-engineered incompetence, not malice, and that a hole as wide as Uranus is actually not serious.

Re:Who trusts Mega anyway

[denmarkw00t]

Does anyone actually trust his stuff?

For sensitive material? Of course not. But, I have used Mega a number of times for legit downloads (Android ROMs, Linux, various open-source projects). Let's not forget that MegaUpload was used for non-nefarious purposes, although people who store sensitive data unencrypted on someone else's service are always taking a risk.

Re:Who trusts Mega anyway

[sosume]

At least he's not lying about himself or his intentions. If anything, he's been absurdly honest. Just look at his licence plates, or one of his bragging pictures.

Re:Who trusts Mega anyway

[aaaaaaargh!]

the guy is a self-aggrandizing scam artist and charlatan

However, if he wore a suit with tie and had not only fullfilled DMCA requests (which he always did) but also had proactively given away his customers data to any US authority and private copyright holders like the RIAA without any real legal basis and had additionally given money to the two leading US parties, he'd be considered quite a decent fellow in the US now. In other words, while he never did anything else than Google and thousands of other companies, including US ones today, he hasn't shown "the right attitude" and that is the main and real reason why he is being persecuted now. He doesn't act the way you are expected to act as a rich entrepreneur with a serious business. Such misbehavior is usually sanctioned. They even wondered whether they could turn an inflatable tank he had in his garden into some kind of evil plot, but didn't manage to find the right legal angle to it...

Regarding trust ... well, at least New Zealand law cannot force you to install backdoors and lie to everyone about it, but of course you cannot trust any closed source company with data security. Encrypt on your own before storing something on Mega and you're fine.

Re:Who trusts Mega anyway

[glassware]

I read this as "Sega Master System Keys Are Retrievable." I was sadly disappointed.

Re:Who trusts Mega anyway

[wagnerrp]

All those other companies gave no illusion of being secure. Hell, they often had in their own terms and services that they would be reading your email for whatever purposes they desired. Kim Dotcom claims to be offering secure, encrypted services, yet anyone with a basic understanding of computer security can tell he's just putting up a facade for the masses. That's why he cannot be trusted. He's nothing but a blowhard.

Re:Who trusts Mega anyway

[Tom]

he hasn't shown "the right attitude" and that is the main and real reason why he is being persecuted now.

If you aren't a paid shill, you should change that. Your misleading and faulty argument surely qualifies, and you'd have to be an idiot to think that a multi-millionaire scam artist in the public spotlight would not have hired a PR agency to improve his online image.

Kimble is a career criminal, simple as that. He was prosecuted and even convicted before, and by several other governments. That distinct sound you're hearing is the shattered pieces of your argument falling apart.

If you are a large-scale career criminal, there are two paths you can go.

One, you can fly under the radar, like the people in the famous train robberies and serial bank breaks that many of us have heard about but almost nobody can name even one of the actual people involved.

Two, you can scale it up so much that it becomes quasi-legal by sheer scale and being-part-of-the-system, like the financial industry, the corporate corruption or the various pet-sectors of the various countries that are untouchable (Spain had a huge real estate scandal - nobody was ever convicted. Germany even has a name for the network of corporations, banks and government entities so closely connected that they all protect each other: Deutschland AG. In Greece, the shipping industry was holy for decades. In the US it is probably the military industry, and so on).

Kimble was arrogant and self-obsessed enough to think he could reach the same place simply by having an overblown ego and being audacious.

Re:Who trusts Mega anyway

[FuzzNugget]

...and that a hole as wide as Uranus is actually not serious.

Mine, I wouldn't worry about. Your mom's on other hand...

Re:Who trusts Mega anyway

[Tom]

Does anyone actually trust his stuff?

Idiots with no knowledge of history.

Kimble ratted his partners out to the FBI when he was under investigation for a previous crime some years ago. Once a traitor, always a traitor. If you think there are no closed-doors talks between Kimble who's trying to save his neck and the government, you must be very naive indeed. And the obvious thing that Kimble can offer is - the users of Mega, of course.

Re:Who trusts Mega anyway

[Barefoot+Monkey]

All those other companies gave no illusion of being secure.

Neither did Mega. They explain these very risks and others right in the FAQ and since they launched have using alternatives that do not involve trusting them. Providing a interface is a significant convenience, but you can't trust anything truly secret to a script someone else can remotely replace on a whim.

Re:Who trusts Mega anyway

[Barefoot+Monkey]

Proof-reading fail. Sorry :(

The missing word was "recommended". They have always recommended alternatives that do not involve trusting them. Here's an example from that same FAQ page:

What if I don't trust you? Is it still safe for me to use MEGA?

If you don't trust us, you cannot run any code provided by us, which precludes opening MEGA in your browser and entering your login credentials. However, due to MEGA's end-to-end encryption paradigm, you can safely use client applications written by someone you trust.

of course they are retrievable

[Noishe]

Once you enter your password into a website, the website can do anything that you can do.... Duh

Yes, mega doesn't have your key stored on their servers.
Yes, at any point while you're logged in they can change this fact, or they can just log your password, or whatever.

Doesn't matter what the website is, you have to trust it to use it.

How is this news?

Re:of course they are retrievable

not to troll but this may be a new tactic by Big Media or maybe the NSA to try and cripple Mega and others, I find it odd, (tho I do not make an conspiracy out of it) that the NSA is attacking owners of sites that refuse to give up there encryption, and the owners/creators are shutting there sites down.

It is possible and wouldn't be surprised to see someone or some sinister force at work here. But I am not sure if the creator of the exploit is supporting Mega, and trying to improve its security or trying to discredit the site.

Re:of course they are retrievable

[Joining+Yet+Again]

"I don't know all the software, firmware and hardware functionality perfectly, therefore I throw my arms in the air and give up."

Security is often as much about trust as anything. It is important to expose, more than anything else, something which could suggest a breach of trust.

Re:of course they are retrievable

[Score+Whore]

If the developer just decides to push down an update that logs your keys, you're fucked.

Well, there's your problem... Why are you letting people you don't know install and run software on your computer?

Fundamentally though, like all security, you need to make a cost benefit analysis. If you have data of a life and death nature, you shouldn't be entrusting it to anyone you can't kill. Or a little less extreme, you shouldn't be putting information in the hands of someone you can't successfully sue. That is, if you have a $50 liability limit plus $200 worth of time to "clean up" someone using your credit card without authorization, you shouldn't share that card number with anyone who wouldn't be willing to pay the $250 if they leak your card number. In the event that you don't expect to be able to sue someone, you shouldn't entrust them with any important or private data.

Another thing to consider, if your vendor (of your computer, your OS, your phone) includes a liability limitation in their agreement with you then they don't believe their shit is secure. If they don't believe that their product is secure, why should you?

What's the big deal?

[schneidafunk]

I don't get it, why is this a big deal? This just displays your local storage in your web browser.

Re:What's the big deal?

[denmarkw00t]

Yeah, I saw this tool was already built in to Chrome, so I guess I've had the hack for a while - even before this guy released it!

what's odd about this? Your key is local

[YesIAmAScript]

That's how you want it to be. It's zero-knowledge from MEGA's point of view. You generate your own key, keep it and use it to decrypt and encrypt stuff.

So of course if someone gets access to your computer they can get your key, it was on your computer all the time, by design.

His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them. This is of course possible, but we have no way to know whether they've done it. If the javascript can access your key to encrypt/decrypt stuff, then it is also possible it can squirrel it away somewhere.

Re:what's odd about this? Your key is local

[Joining+Yet+Again]

His assertion that MEGA can get your key is what is a bit more surprising. But if you read it, he's simply saying it's conceptually possible that MEGA could use a script on their site to grab your key and send it to them.

And you think this isn't serious? Every vulnerability is "conceptually possible" until it's implemented. NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.

Perhaps you don't even understand what Mega has been promising up to now.

Re:what's odd about this? Your key is local

[amicusNYCL]

As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else. It sounds like there is some client-side encryption that takes place before sending files, and that encryption code presumably comes from Mega, and that encryption code uses your private key, so of course the encryption code has access to the key. How could it encrypt otherwise? The browser doesn't natively support that process, that is what would have to change in order for this to not be an issue. The promise by Mega not to store your keys is the only thing that users have, because if they are running Mega's encryption code client-side then there is nothing stopping Mega from getting your keys, or unencrypted data, or whatever else, other than their promise not to.

NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.

Again, the onus is on Mega to stop that from happening, but they can only protect their own servers. If someone wants to intercept and decrypt your traffic and change the data to add new code (a man-in-the-middle attack), then that is still a threat. It's always going to be a threat as long as organizations like the NSA are capable of decrypting that SSL traffic.

Otherwise, this is not an issue that has a solution with today's browser implementations. Maybe Mega can produce their own version of Firefox or a Webkit-based browser that will natively implement their encryption without exposing the keys to Javascript, but then you would have to trust that software, don't you? It's all about trust. If you don't trust Mega, then don't use it.

Re:what's odd about this? Your key is local

[bluefoxlucid]

The issue is that it's 'conceptually possible' for Ubuntu to ship a package in the base system that uploads your keys to Canonical's servers. I can give you a script that you run on RHEL and it'll show decrypted ssh, ssl, and gpg keys (if you've entered the password). I can put a package on your system and show that RHAT could put a modified gpg that logs all your shit and passwords and everything to their server. And so on.

This isn't a vulnerability. It's like saying it's conceptually possible for a thief to steal your car after you've put the key in the ignition.

Re:what's odd about this? Your key is local

[swillden]

As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else.

At present, this is true. There's a W3C WebCrypto spec in progress (being developed by Google and Mozilla, IIRC) that will change it, though. It will not only provide native implementations of ciphers accessible from Javascript (rather than performing expensive calculations in Javascript), but will also provide a client-side key store so Javascript code can create and use keys without ever seeing their value, and hence be unable to send the values anywhere.

I think the Javascript code would still have access to the decrypted data.

Caveat: It's been a while since I looked at the in-progress spec. It may have changed, and I guarantee my memory is faulty in at least some respect.

Re:what's odd about this? Your key is local

[DarkOx]

When the method is javascript in the browser; sourced from the very same service you are sending the encrypted data off to than yes; client side encryption is BS and probably offers so much attack surface it reduces security.

The fundamental problem here is you are running 'untrusted code' to handle sensitive information. There is a solution here. A small simple OSS program easily audited. Probably needs to be real real basic command line utility using few if any external libraries so people can post the md5sums of the output generated on their favorite platform by their favorite compiler and linker; that way everyone can compare, notes.

This would be too difficulte for 99% of Mega's users to deal with though.

Re:what's odd about this? Your key is local

[flux]

Just like your OS vendor can slip in an update that sends all your keys to them. (As Shuttleworth said, they have root.) You basically need to trust someone, as no one person is able to audit everything people typically use daily.

Summary

[LordLimecat]

Unless Im misreading it, this can be summarized as follows:
  * Coder has discovered that, in order to encrypt data, your computer must have access to the encryption key
  * Further, if someone has root access to your machine, they can get your encryption key.

Wow. What a discovery.

MEGA and anyone else with access to your computer can see this, and use it to decrypt any file you upload.

Wait, someone with access to my computer has access to things that my computer has access to? WOW!

Re:Summary

[Laxori666]

Well. The whole point of Mega was that not even Mega would know what you are storing on their servers. "The end to end encryption means that Mega pretty much can't narc on you, no matter how much pressure it's under. It won't know what you're storing on its servers, by design." gizmodo. Thus there's a reasonable expectation that Mega cannot find out what you are storing on its servers. Now it turns out there is a ridiculously easy way for Mega to find out what you're storing there: all Mega has to do is run some JavaScript on your computer. Which it does anyway.

I suppose either way you'd have to trust that the website is only uploading encrypted stuff to Mega and not the file itself. But now it turns out even if they're doing that, they can still decrypt your stuff. And also any website on the internet.

Well I suppose that the JS client could also have just sent the keys it generated to Mega as soon as it generated them.

Ok, basically there's no way this security model can work. I just feel a bit foolish now. But I'm glad TFA made me think about it for the two minutes it took to figure out that there's no real expectation of security here. Other articles (like that gizmodo one) painted quite the misleading picture.

Re:JavaScript not secure?

[gl4ss]

yeah something you run on your browser.. ..that gives you access to the files.. CAN GIVE YOU ACCESS TO THE FILES.

wow what a shock! because in this case, MEGA can alter the js so that they get the keys. how this is is news I don't really get. it's just common sense.

the real question is, are there 3rd party mega clients that are not javascript or subject to changing without notice..

Obvious

[TheSpoom]

So this is obvious to anyone with knowledge of encryption. I believe Mega's claim is that because the encryption is done on the client side, they don't know the key. This could be true, but you still have to take their word for it.

But even though it's obvious, it's something to consider. Mega claims that they could not decrypt your files. This is demonstrably false. So what's to stop the government from serving them with a National Security Letter that forces them to add code to the login process, logging all keys upon login, without any advance warning to their customers?

There's essentially no way to trust a third party on the internet now without an alternate, reliable channel of communication to exchange keys in the first place.

Re:Obvious

[Terrasque]

> Mega claims that they could not decrypt your files. This is demonstrably false.

Not quite.. It requires all these things to happen:

1. Mega gets a reason to get your key (LEA for example)
2. Mega adds new JS just for you
3. You use the web interface
4. You log in
5. You don't notice the new code (Mega already have a chrome browser extension that would stop this by running its own code instead of the server's code iirc)

So.. They have to start looking for your key, you have to use the *web interface*, AFTER they decided that, and you have to run the new code.

None of these are a given. You can upload on an account, and then never log in again. Or use a non-web client (is for android and windows, at least). Or use a browser with the extension.

Wrong. Mega is doing it.

[cbhacking]

If you want to store encrypted files, then [you must] encrypt them locally before uploading them.

Emphasis and clarification added. The problem isn't that the files aren't getting encrypted before upload, it's that *you* aren't doing it. Your browser, executing JS code from mega.co.nz, is doing it. You aren't even running the encryption program yourself; it's all automatic. You are handing Mega an un-encrypted file, and trusting them to securely encrypt it against themselves. Does this sound stupid yet? Let me be a little clearer: what does it matter whose actual CPU executes the crypto code, when Mega owns (and can change at any time) that code?

While Mega's approach is very convenient, it also throws all security guarantees out the window. From the user's perspective, they are giving an untrusted site ("untrusted" here is used in the security sense, as in "we are not absolutely sure that this site will not attempt to rat us out, so we are never going to let it see the unencrypted data") access to... unencrypted data. See the problem here? Yes, the version of the site's JS that you downloaded on this visit probably doesn't contain anything that leaks your decryption key to Mega, but there's no guarantee of that unless you audited the code yourself. Even then, it could be different next time...

Let me reiterate those points one more time:
1) You are handing Mega access to your plain-text data. It doesn't matter whose CPU modifies the data; Mega controls the code that runs on the CPU.
2) Because of item #1, all of Mega's guarantees are bullshit. The next time you visit their site, they could steal your keys and decrypt all your data; you can't stop them.
3) The only way to do this securely is, as amicusNYCL points out, encrypt them yourself. That means *not* using Mega's code, or the code of anybody else you are attempting to encrypt *against*.

I cannot be the only one

[ArcadeMan]

I read the title as "Software developer says Sega Master keys are retrievable".

Re:JavaScript not secure?

[tgd]

yeah something you run on your browser.. ..that gives you access to the files.. CAN GIVE YOU ACCESS TO THE FILES.

wow what a shock! because in this case, MEGA can alter the js so that they get the keys. how this is is news I don't really get. it's just common sense.

the real question is, are there 3rd party mega clients that are not javascript or subject to changing without notice..

What is common sense to anyone who understands how a service is built is not necessarily common sense to those who use it.

So it matters.