In a post last week regarding the new 'hack' against Mega, MegaPWN, we talked about the implementation of a GreaseMonkey script to avoid being a victim of a hack on Mega servers.
I decided to give it a try and wrote a TamperMonkey script (the Chrome equivalent of GreaseMonkey) called MEGACheck that runs everytime a user visits Mega, and performs the aforementioned integrity check.
What Is TamperMonkey(TM)? Tampermonkey is a free browser extension and the most popular Userscript manager for Blink-based Browsers like Chrome and Opera Next. Even though Google Chrome does have native support for Userscripts, Tampermonkey can give you much more convenience in managing your Userscripts
How to Install TM and MEGACheck?
TamperMonkey can easily be installed on Chrome by clicking on this link and adding it to your browser.
Running MEGACheck is as simple as copying the attached code a new script in the TamperMonkey DashBoard.
What does MEGACheck Do? In case you're curious, the script performs the following functions :
Note that the script would work as long as the browser's localStorage isn't deleted - which, according to the Standard is only done
"for security reasons or when requested to do so by the user." What does this have to do with the NSA? In light of all the recent developments from Edward Snowden's revelations about the NSA's decryption capabilities and the cyber-bully streak it's been on (Eg: the Lavabit takedown), the same script could be used to monitor changes in what different websites feed our browsers.
To quote Bruce Schneier "The NSA has undermined a fundamental social contract. We engineers built the internet - and now we have to fix it".
Although, an extension of this sort would qualify more as a preventive measure than a fix, it's still a step towards being more aware of what we run on our computers - irrespective of the source it's coming from!
Can it be used with other websites? Yes, the script can be used with other websites by changing the following parameters :
// @match https://mega.co.nz*
// @require https://mega.co.nz/secureboot.js*
An Update from MegaPWN
Interestingly enough, I noticed some changes in the way Mega stores it's keys since the release of MegaPWN.
The MegaPWN script now only works if the user selects 'Remember Me' while logging in, resulting in the keys being saved in the browser's localStorage.
If this option is not selected, the keys are stored in sessionStorage and MegaPWN fails to access your keys.