The Latest in IT Security

Detect NSA’s ‘Funny Business’ with TamperMonkey

11
Sep
2013

In a post last week regarding the new ‘hack’ against Mega, MegaPWN, we talked about the implementation of a GreaseMonkey script to avoid being a victim of a hack on Mega servers.
The script would mainly look for changes in the “crypto-magic” performing JavaScripts loaded from Mega.

I decided to give it a try and wrote a TamperMonkey script (the Chrome equivalent of GreaseMonkey) called MEGACheck that runs everytime a user visits Mega, and performs the aforementioned integrity check.

What Is TamperMonkey(TM)?

Tampermonkey is a free browser extension and the most popular Userscript manager for Blink-based Browsers like Chrome and Opera Next. Even though Google Chrome does have native support for Userscripts, Tampermonkey can give you much more convenience in managing your Userscripts

How to Install TM and MEGACheck?

TamperMonkey can easily be installed on Chrome by clicking on this link and adding it to your browser. Running MEGACheck is as simple as copying the attached code a new script in the TamperMonkey DashBoard.

MEGACheck Source Code

MEGACheck

What does MEGACheck Do?

In case you’re curious, the script performs the following functions :

  • 1. Checks for an existing SHA256 value in the browser localStorage for Mega. It not found, the value is null.
  • 2. Calculates the SHA256 on the script containing crypto functions from the current page load. (The script object is not directly accessible from the DOM, probably for security reasons and hence needs to be fetched using an XMLHttpRequest)
  • 3. Compares the two, and alerts the user. If the values are different, the new SHA256 value is saved in localstorage.

Note that the script would work as long as the browser’s localStorage isn’t deleted – which, according to the Standard is only done

“for security reasons or when requested to do so by the user.”

What does this have to do with the NSA?

In light of all the recent developments from Edward Snowden’s revelations about the NSA’s decryption capabilities and the cyber-bully streak it’s been on (Eg: the Lavabit takedown), the same script could be used to monitor changes in what different websites feed our browsers.

To quote Bruce Schneier “The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it”.

Although, an extension of this sort would qualify more as a preventive measure than a fix, it’s still a step towards being more aware of what we run on our computers – irrespective of the source it’s coming from!

Can it be used with other websites?

Yes, the script can be used with other websites by changing the following parameters :

  • 1. The “match” parameter that specifies the website on which the script should run.
    // @match     https://mega.co.nz* 
  • 2. The “require” parameter that specifies which scripts must be loaded before the TamperMonkey script runs.
    // @require		https://mega.co.nz/secureboot.js*
  • 3. The element in the DOM on which the integrity check needs to be performed (which can be identified by studying the source code on any website).

An Update from MegaPWN

Interestingly enough, I noticed some changes in the way Mega stores it’s keys since the release of MegaPWN.
The MegaPWN script now only works if the user selects ‘Remember Me’ while logging in, resulting in the keys being saved in the browser’s localStorage.
If this option is not selected, the keys are stored in sessionStorage and MegaPWN fails to access your keys.

Leave a reply


Categories

TUESDAY, FEBRUARY 20, 2018

Featured

Archives

Latest Comments

Social Networks