In a post last week regarding the new ‘hack’ against Mega, MegaPWN, we talked about the implementation of a GreaseMonkey script to avoid being a victim of a hack on Mega servers.
I decided to give it a try and wrote a TamperMonkey script (the Chrome equivalent of GreaseMonkey) called MEGACheck that runs everytime a user visits Mega, and performs the aforementioned integrity check.
What Is TamperMonkey(TM)?
Tampermonkey is a free browser extension and the most popular Userscript manager for Blink-based Browsers like Chrome and Opera Next. Even though Google Chrome does have native support for Userscripts, Tampermonkey can give you much more convenience in managing your Userscripts
How to Install TM and MEGACheck?
TamperMonkey can easily be installed on Chrome by clicking on this link and adding it to your browser. Running MEGACheck is as simple as copying the attached code a new script in the TamperMonkey DashBoard.
What does MEGACheck Do?
In case you’re curious, the script performs the following functions :
- 1. Checks for an existing SHA256 value in the browser localStorage for Mega. It not found, the value is null.
- 2. Calculates the SHA256 on the script containing crypto functions from the current page load. (The script object is not directly accessible from the DOM, probably for security reasons and hence needs to be fetched using an XMLHttpRequest)
- 3. Compares the two, and alerts the user. If the values are different, the new SHA256 value is saved in localstorage.
Note that the script would work as long as the browser’s localStorage isn’t deleted – which, according to the Standard is only done
“for security reasons or when requested to do so by the user.”
What does this have to do with the NSA?
In light of all the recent developments from Edward Snowden’s revelations about the NSA’s decryption capabilities and the cyber-bully streak it’s been on (Eg: the Lavabit takedown), the same script could be used to monitor changes in what different websites feed our browsers.
Although, an extension of this sort would qualify more as a preventive measure than a fix, it’s still a step towards being more aware of what we run on our computers – irrespective of the source it’s coming from!
Can it be used with other websites?
Yes, the script can be used with other websites by changing the following parameters :
- 1. The “match” parameter that specifies the website on which the script should run.
// @match https://mega.co.nz*
- 2. The “require” parameter that specifies which scripts must be loaded before the TamperMonkey script runs.
// @require https://mega.co.nz/secureboot.js*
- 3. The element in the DOM on which the integrity check needs to be performed (which can be identified by studying the source code on any website).
An Update from MegaPWN
Interestingly enough, I noticed some changes in the way Mega stores it’s keys since the release of MegaPWN.
The MegaPWN script now only works if the user selects ‘Remember Me’ while logging in, resulting in the keys being saved in the browser’s localStorage.
If this option is not selected, the keys are stored in sessionStorage and MegaPWN fails to access your keys.
Leave a reply