Your MEGA master key is supposed to be a secret, but MEGA or anyone else with access to your computer can easily find it without you noticing.
Frequently asked questions
- What is MEGApwn?
- MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing.
- What is a bookmarklet?
- Can MEGA read my files?
- Yes. Your web browser trusts whatever it receives from MEGA, which means they can grab your master key whenever you visit their site and then use it to decrypt and read your files. You'd never know.
- Can other people read my files?
- Yes. Any warrant or subpoena issued to MEGA for your files simply has to ask for your master key, which MEGA can retrieve, and prohibit MEGA from telling you about it. Also any browser extension you have installed can access this information without your knowledge.
- Can you get warrants like that?
- Yes, Hushmail was compelled to capture encryption keys in 2007 and Lavabit received a request so broad they opted to shut the company down rather than comply.
- How can I safely protect my files?
- Encrypt your files with PGP or GPG before uploading them to a service like MEGA. Be sure to check you downloaded a legitimate version though.
- Does this code hack or break into MEGA?
- This is stupid, of course MEGA can get my keys! I just trust them not to.
- When you get down to the root of the issue, MEGA's approach to cryptography is secure if, and only if, you trust MEGA not to extract your keys. From where I sit that's not all that different from having to trust any other more traditional cloud storage provider not to read your files.