Update[September 04 10:23 GMT] Mega has put up a detailed write-up of the security issues highlighted in the story below. You can find it here.
Dubbed MegaPWN the tool not only reveals a user’s master key, but also gives away a user’s RSA private key exponent. “MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing that it is not actually encrypted and can be retrieved by MEGA or anyone else with access to your computer without you knowing,” reads an explanation about the bookmarklet on its official page.
Koziarski also claimed that third party browser extensions could also potentially access a user’s master key. The second claim by the developer that Mega has access to these keys and users’ file is more controversial and has serious implications about the privacy aspect of the service. The developer said that a user’s web browser trusts anything and everything that is sent from Mega and the company could easily fetch the master key and “then use it to decrypt and read your files. You’d never know.”
Mega programmer Bram Van der Kolk got himself involved into a heated argument with Koziarski following the release of this tool. Kolk asked through a tweet whether it was the responsibility of Mega to protect users in case someone has access to a user’s system.
To this Koziarski replied “No. I want users to understand just how easily you could read all their files if you wanted to.”
Mega and Kim Dotcom have made the headlines again recently following Snowden revelations of NSA spying and closure of two secure email service providers – Silent Circle and Lavabit. Kim Dotcom said after the closure that Mega will be launching two new services – secure email and messaging services – soon and that they will fill the void left by Lavabit and Silent Circle.