Software developer releases tool that claims to reveal Mega users’ master key

Update

[September 04 10:23 GMT] Mega has put up a detailed write-up of the security issues highlighted in the story below. You can find it here.

Original Story

Michael Koziarski, a software developer, has released a browser based JavaScript bookmarklet, which he claims has the ability to reveal Mega users’ master key. Koziarski went onto claim that Mega has the ability to grab its users’ keys and use them to access their files.

Dubbed MegaPWN the tool not only reveals a user’s master key, but also gives away a user’s RSA private key exponent. “MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,” reads an explanation about the bookmarklet on its official page.

megapwn screenshot

Koziarski also claimed that third party browser extensions could also potentially access a user’s master key. The second claim by the developer that Mega has access to these keys and users’ file is more controversial and has serious implications about the privacy aspect of the service. The developer said that a user’s web browser trusts anything and everything that is sent from Mega and the company could easily fetch the master key and “then use it to decrypt and read your files. You’d never know.”

Mega programmer Bram Van der Kolk got himself involved into a heated argument with Koziarski following the release of this tool. Kolk asked through a tweet whether it was the responsibility of Mega to protect users in case someone has access to a user’s system.

To this Koziarski replied “No. I want users to understand just how easily you could read all their files if you wanted to.”

When poked whether Mega had access to users’ master keys, Kolk tweeted “are you seriously suggesting that we will serve trojaned JavaScript? Install one of our browser extensions and turn off auto-updates.” To this Koziarski replied “I have no idea what you’ll do, you seem nice enough, my point is just that your security is effectively identical to SSL/dropbox.”

Mega and Kim Dotcom have made the headlines again recently following Snowden revelations of NSA spying and closure of two secure email service providers – Silent Circle and Lavabit. Kim Dotcom said after the closure that Mega will be launching two new services – secure email and messaging services – soon and that they will fill the void left by Lavabit and Silent Circle.

  • Brently Ford

    So you are saying that only Mega can see into my computer and uploaded files even if I am NOT a criminal? I would rather think that Mega could convince Governments that Mega has no interest whatsoever in people’s FREEDOM !!!