The issue here is that MEGA presents itself as "the privacy company" and makes some very careful claims about encryption:
All files stored on MEGA are encrypted. All data transfers from and
to MEGA are encrypted. And while most cloud storage providers can
and do claim the same, MEGA is different – unlike the industry norm
where the cloud storage provider holds the decryption key, with
MEGA, you control the encryption, you hold the keys, and you decide
who you grant or deny access to your files, without requiring any
risky software installs. It’s all happening in your web browser!
It's true that everything is encrypted. And it's true that many cloud storage providers hold the decryption keys. It's also true that with MEGA, you hold the keys. What they carefully avoid claiming is that MEGA is unable to read the decryption keys.
All it takes is one court order in a country where MEGA operates ordering them to obtain the user-held decryption keys via the exact same method this bookmarklet demonstrates. MEGA doesn't even have to be involved. In the US, a National Security Letter to your ISP could lead to a man-in-the-middle attack with the help of an SSL certificate that the government orders a trusted CA to provide for MEGA's domain. At that point, all of MEGA's carefully-crafted claims about security are moot.
Come on, MEGA is not about secure storage but about Dotcom being able to tell any copyright enforcement party that he can't tell whether bits he store are illegal or not (and thus keep his business running).
If the government has compromised trusted CAs to do man-in-the-middle attacks, my thought is that they are only for 'intelligence' levels of actions, at least at this point in time. The government isn't going to tip its hand to foreign adversaries even to jail a few pedophiles (or other breakers of Federal law).
Maybe you missed it, but the DEA already uses the questionable NSA secret surveillance to find drug dealers, and constructs evidence against them to hide use of the surveillance.
Okay, this has absolutely nothing to do specifically with javascript in the browser! This attack is applicable to ANY system where the application designer leaves sensitive data in a place that can trivially accessed by malicious applications if they jump through a few simplistic hoops!
Mega left user data in an essentially public place.
This JS code needs to be run on the MEGA domain, right? That's why it's a bookmarklet. Other sites don't have access to the local storage required to extract the key. It does mean that MEGA can get the key and send it back to the site if MEGA was compromised but ultimately the client code needs to get the key to decrypt the MEGA content.
Some way of pinning or signing JavaScript verified by a third party or browser would be useful here. If it could also note what percentage of users was using a particular JS version you'd be more likely to notice if a targeted malicious JS was being sent.
Isn't the issue more that Mega portray that they CAN'T see what files you're storing (plausible deniability regarding pirated content) while this proves that they actually could see your file contents if they wanted to?
Which in turn really means it's no more secure than, say, DropBox.
At least that's the impression I have regarding why this is somewhat important.
This didn't need proving. They send you JavaScript code, which you trust to encrypt your files. Without a built-in, well-audited, static browser mechanism no web service can ever be trusted with confidential data.
If the Feds decide to raid MEGA again they can simply modify their server side script to recognise your IP and serve you bad JavaScript from the MEGA domain, revealing your keys the next time you login. Nobody would be any the wiser.
Personally I'm waiting for JS crypto to take off big time and idiots to start using it from a CDN.
The article isn't proving anything, it's an example of how a known problem affects MEGA. It's saying encrypt your files first, because trusting MEGA (or anyone who uses that kind of encryption) is not enough.
Sure, but don't you think it's important that they make this clear?
So far they market heavily on the fact that it's secure when this is simply not true.
If you read their security page, they do say you shouldn't use it if you don't trust them. But that's about it for any warning that you're basically sitting there naked.
I know no security system is entirely secure, but they aren't generally targeting security minded folks, they're targeting the layman who reads what they say and then thinks they're secure due to their weasel worded security page.
Meh. Should every site using HTTPS make it clear that hundreds of CAs whom you've never heard of have the capability to perform a MITM?
At least with MEGA you know the security framework is something they've engineered themselves, so you know you have to trust them. With SSL/TLS you're deferring to authority simply because it's convenient.
It's more secure than DropBox in that someone seizing MEGA's data can't read it. A MEGA employee can't read your data. To read your data they need to capture the private key. This is possible by virtue of the fact that they're sending you the code to use the private key.
This isn't even exactly about JavaScript cryptography. This is the equivalent to building a program to read the TrueCrypt keys out of memory.
The problem here is "the machine doing the cryptography can not be trusted", not "it's JavaScript in a webbrowser", though of course thats also a fundamental problem.
The problem actually isn't "the machine doing the cryptography can not be trusted" - the machine is basically you, the user, obviously once you have your files they're on your computer. If you don't trust your computer, what use do you have for files in the first place.
Problem is actually "the computer that sends you code to run on your PC can't be trusted". Big difference..
While they are the same class of attacks they are fundamentally different in the level of complexity required.
There's no 20 line piece of code that any user can run to get your TrueCrypt key, you're looking at an OS exploit to get kernel access, plus the code to find the key, and/or freezing the computer in liquid nitrogen and then reading the contents of memory directly.
So MEGA will recieve the HTTP Request with $_GET['_escaped_fragment_'] containing your decryption key.
So if you send a file to a friend who happens to not have Javascript enabled for the website it will reveal the decryption key to MEGA.
My guess is that it already has, and has been ruled a side-channel/social-engineering attack (requiring either a compromised browser or to run arbitrary javascript on the site).
Yea, he did. I think the point is more that MEGA can read the key, and your files without permission. This contradicts their claim "Your data is encrypted by you before upload to our system and therefore we do not and cannot access that content"
Shocker. Likewise, if you ever access SpiderOak from a browser you're equally hosed.
If you don't trust the server then you can't expect thin client apps served from said server to be trustworthy. It's bizarre to me that people don't get that.
Not really a "pwn" (I hate that word), it is nearly impossible for any website to create encrypted data which it cannot retrieve themselves with some client side code.
If you would do gpg/pgp in pure javascript someone could alter the javascript to send back the private key.
Same thing with any client side software that can update itself without permission.
Sure, when you first access it it could be secure, but the second time, when the code-provider is compromised you have instantly lost your "private" keys.
They could AES your keys before storing it in local storage and prompt the user for this extra key whenever they need to access your keys. Otherwise your private keys are just stored in a sqlite file or some other implementation specific file that your browser created on your file system.
This bookmarklet is a type of phishing. Phishing and social engineering has been there all the time. You cannot prevent all that from a service provider point. Mega is a secure platform that operates on basis of user side encryption. The mega.co.nz javascript ui just provides a reference implementation. Browsers can be used easily to compromise user data once physical access is obtained.
If you look at Mega API and SDK, design wise it is very clean. You can build your own custom application by importing those libraries which are not prone to this kind of attacks.
Without Javascript, MEGA's website is a blank white page. Without knowing exactly what MEGA is, why should a sufficiently paranoid user allow js from it to run?
Even clicking that link, I had no idea what it was. There's just a big red button and a meaningless tagline about privacy. I think it's a fair question.
All it takes is one court order in a country where MEGA operates ordering them to obtain the user-held decryption keys via the exact same method this bookmarklet demonstrates. MEGA doesn't even have to be involved. In the US, a National Security Letter to your ISP could lead to a man-in-the-middle attack with the help of an SSL certificate that the government orders a trusted CA to provide for MEGA's domain. At that point, all of MEGA's carefully-crafted claims about security are moot.