MEGApwn

Bookmarklet to recover your secret MEGA master key

MEGApwn

If your browser supports it, drag this bookmarklet to your bookmarks or favorites bar.

"Technically, we could serve you backdoored JavaScript code that sends your master encryption key back to us."MEGA

Your MEGA master key is supposed to be a secret, but MEGA or anyone else with access to your computer can easily find it without you noticing.

Frequently asked questions

What is MEGApwn?: MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing.

What is a bookmarklet?: A bookmarklet is a bookmark stored in a web browser that contains JavaScript commands to extend the browser's functionality. You can read more about bookmarklets on Wikipedia.

Can MEGA read my files?: Yes. Your web browser trusts whatever it receives from MEGA, which means they can grab your master key whenever you visit their site and then use it to decrypt and read your files. You'd never know.

Can other people read my files?: Yes. Any warrant or subpoena issued to MEGA for your files simply has to ask for your master key, which MEGA can retrieve, and prohibit MEGA from telling you about it. Also any browser extension you have installed can access this information without your knowledge.

Can you get warrants like that?: Yes, Hushmail was compelled to capture encryption keys in 2007 and Lavabit received a request so broad they opted to shut the company down rather than comply.

How can I safely protect my files?: Encrypt your files with PGP or GPG before uploading them to a service like MEGA. Be sure to check you downloaded a legitimate version though.

Does this code hack or break into MEGA?: No, it simply demonstrates one of the many serious and insoluble problems you face when doing cryptography in Javascript web applications. There are many other problems like this which is why numerous respected cryptographers have warned against doing this for years.

This is stupid, of course MEGA can get my keys! I just trust them not to.: When you get down to the root of the issue, MEGA's approach to cryptography is secure if, and only if, you trust MEGA not to extract your keys. From where I sit that's not all that different from having to trust any other more traditional cloud storage provider not to read your files.

How it works

Once you have installed the bookmarklet, log into MEGA. Clicking the button will show you something like this:

The MEGA web site stores your secret master key in the local storage area of your web browser where any code running on your computer, in your browser, or on MEGA can easily retrieve it. While MEGApwn simply displays enough information to prove the correct key has been recovered, similar code could just as easily send your master key to anywhere on the Internet, including back to MEGA.

Source

function megaPWN() {
  var format = function(a) { 
    var padded = "";
    var hex = s2hex(b2s(a));
    for (var i = 0; i < hex.length; i+= 8) { 
      padded += hex.substr(i, 8);
      padded += ' ';
    }
    return padded;
  };

  var masterAESKey = JSON.parse(window.localStorage.k);

  var rsaPrivateKeyComponents = JSON.parse(window.localStorage.privk);
  var rsaD = rsaPrivateKeyComponents[2];
  var rsaP = rsaPrivateKeyComponents[0];
  var rsaQ = rsaPrivateKeyComponents[1];
  var rsaU = rsaPrivateKeyComponents[3];
  
  var lesson = "Your MEGA master key is: " + format(masterAESKey);
  lesson += "<br>";
  lesson += "Your RSA private key exponent starts with: d=" + format(rsaD).substr(0, 107);
  lesson += "<br>";
  lesson += "MEGA and anyone else with access to your computer can see this, and use it to decrypt any file you upload.";

  Ext.Msg.show({
    title: "megaPWN",
    msg: lesson
  });

}
megaPWN();