A brand new piece of software released in the past few hours claims to reveal MEGA users’ master keys. The creator of the tool, an easily installed browser bookmarklet called MEGApwn, says that armed with the software anyone with access to a Mega user’s computer can access their keys. However, even more controversially the New Zealand based software developer adds that Mega is able to gain access to a user’s files.
Kim Dotcom’s Mega.co.nz launched as the ‘Privacy Company’ with a special emphasis on the security of its users’ files. The company says that due to encryption, no one can access a user’s files hosted on Mega unless the user gives his permission. In the wake of the NSA scandal the usefulness of encryption has really come to the forefront and MEGA is now placed to release encrypted messaging and email services utilizing similar technology. However, the company’s claims also mean that it becomes a target for those seeking to point out potential weaknesses in its system.
A few hours ago a software developer called Michael Koziarski released a new tool which he claims highlights a fundamental issue with the encryption mechanism implemented by Mega.
The software, known as MEGApwn, is a Javascript bookmarklet that runs in a web browser. Once a user is logged into MEGA it claims to reveal that user’s MEGA master key. Koziarski says that this proves that the master key itself is not encrypted and that anyone with access to a MEGA user’s computer can access it.
However, this is not the most controversial claim. Koziarski says that MEGA itself is able to grab a key and use it to access a user’s files.
“Your web browser trusts whatever it receives from MEGA, which means they can grab your master key whenever you visit their site and then use it to decrypt and read your files. You’d never know,” Koziarski explains.

The dev, who maintains several open source projects, says that if MEGA was issued with a subpoena it could be forced to obtain a user’s master key and be forbidden by law to reveal anything about it. He also claims that ANY installed browser extension could also access a user’s master key.
The revelations provoked an exchange with MEGA programmer Bram Van der Kolk, who questioned how MEGA would stop anyone gaining access to a user’s computer.
“You seriously want MEGA to protect users against this?” he said.
“No, I want users to understand just how easily you could read all their files if you wanted to,” Koziarski responded.
“You mean how easily the user himself can read his own files. How exactly can an external attacker take advantage of this?” der Kolk questioned.
“So you agree MEGA is only secure against external attackers, that you can read my files if you wanted to?” Koziarski fired back.
“Are you seriously suggesting that we will serve trojaned JavaScript? Install one of our browser extensions and turn off auto-updates,” der Kolk countered.
To try and get a clearer idea of how serious (or not) this issue is, TorrentFreak contacted both MEGA and Koziarski for comment on the new tool. We are yet to receive a response but in the meantime the latter is suggesting that while any site uses Javascript for security, the highlighted problem cannot be overcome.
“Does this code hack or break into MEGA? No, it simply demonstrates one of the many serious and insoluble problems you face when doing cryptography in Javascript web applications. There are many other problems like this which is why numerous respected cryptographers have warned against doing this for years,” he concludes.