MegaMegaMonitor v106 released – enhanced security

This self-post was originally posted to /r/MegaMegaMonitor. See more things from Dan's Reddit account.

tl;dr: This is a security update to MegaMegaMonitor. If you don’t update, your copy of MegaMegaMonitor will stop working.

Sorry for the wall of text – scroll down to “What’s new?” for the short version, and remember to upgrade:

So there’s been a security bug in MegaMegaMonitor since about the year dot. I’ve always known about it, and I’ve always intended to fix it (in fact, it was the very next thing on my list), but for the time being I’d been doing something particularly naughty which was to rely on ‘security through obscurity’ – hoping that nobody would put the effort in to undermining me. Well, I should’ve known better, really, and /u/BeanbagLover caught me out, making a minor tweak to their copy of MegaMegaMonitor to pretend that it was me in order to read encrypted messages from any of the currently-available subs for crypto.

I’ll stress that this was my fault. I’d have rather than /u/BeanbagLover reached out and contacted me directly, rather than testing out their new-found power in an /r/askreddit_megalounge thread (what I’d have called “ethical disclosure”), but fundamentally it was still me taking shortcuts in order to get more functionality out, quicker, that made the problem exist in the first place.

So I’ve rushed-forward my efforts to release a more-secure version of MegaMegaMonitor, putting it together this lunchtime at work. Owing to the nature of the fix, old versions of MegaMegaMonitor will stop working or will stop being up-to-date within the next few hours, so you might need to click the “install megamonitor” button again if it stops working for you and the auto-update hasn’t kicked in yet.

What’s new?

It’s all behind-the-scenes stuff, this time, I’m afraid:

  • Faster updates on the server-side: this won’t affect you yet, but will make it possible to have MegaMegaMonitor update its data more-frequently in a future release
  • Handshake authentication – instead of just trusting that you are who you claim to be and giving you the appropriate membership data and encryption/decryption keys, MegaMegaMonitor will now (if it doesn’t recognise you) perform one of several additional background identity checks to ensure that you really do have access to the subreddits that you claim to. You won’t see it – it all happens in the background – but after an update or when you first install MegaMegaMonitor you might notice that it takes a couple of seconds longer to run, the first time around.
  • Fresh cryptographic keys – I’d already implemented a system by which old encryption/decryption keys could be invalidated if they were leaked (as they now have been!), so that’s included. Again, it’s silent, but the essence of it is that even though existing encrypted messages made with MegaMegaMonitor v104 and below can potentially be read by anybody who broke the older (shit) security system (e.g. /u/BeanbagLover), they can’t read any newly-encrypted content (from v106 onwards) without finding a whole new way to break in. Which is now a lot tougher.

So there you have it – the first major security-patch to MegaMegaMonitor, out now. And again I’ll stress that I’d far prefer to see ethical disclosure of vulnerabilities in this tool (or any of my software): drop me a private message and I’ll fix things ASAP and credit you. Break them in public and I’ll still fix them, but I’ll have to do them under pressure and it’ll make me sad. This particular bug was always going to be fixed in v106: I just didn’t expect to have to find time to finish and release v106 until Sunday.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *