Quote from: raven92 on July 11, 2012, 09:08 pmFirst off this is NOT an endorsement to use PrivNote, I recommend using GPG over using PrivNote. That being said I am a big believer in the truth being spread instead of half-assed uneducated guesses and rumors. As well I realize people are insanely lazy and have a chance of maybe using a GreaseMonkey script but no chance of using GPG and i'd rather people be slightly more secure than not.After KMFKwerm's post regarding PrivNote security, I started being curious just how secure PrivNote is, and found the key generation to be weak, but seemed to verify that your actual decrypted text nor key was ever sent to PrivNote.Being bored in the last few days, I successfully was able to guess the random number within enough precision to bruteforce the key within 2 hours. In short, I could decrypt the text of one note stored on PrivNote's servers without the key given 2 hours and some extra information that would be relatively hard to obtainI've created a shitty GreaseMonkey script that will slightly enhance the security of PrivNote by making the key slightly stronger, this could be dramatically improved, but I did not have the time to complete it (if someone wants to go for it, I recommend using keystroke / mouse movement to fuck with the seed)It's imperative to help increase the key strength that you use your own random_seed number, and never tell anyone what you used, i've thrown a random seed in.***NOTE***The key is limited to 16 only because the response jscript on PrivNote's side expects location.hash to be 16, while this is a clientside check, im not sure how from GreaseMonkey to intercept and allow keys > 16, but you can verify that PrivNote still doesnt actually care.When you use a key > 16, and attempt to decrypt privnote will end you up at /error, simply change the url to /n/destroyed/#hash after the error page comes (privnote obviously stores your internal hash in your sessionID, which is not insecure) and it will still decrypt even with 256 byte passwords// ==UserScript==// @id a// @name PrivNote Random// @version 1.0// @namespace // @author // @description // @include https://privnote.com/*// @run-at document-end// ==/UserScript==unsafeWindow.random_seeder = 93248532485239;unsafeWindow.random_string = function(C) { if (C === null) { C = 16 } var B = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@$%^*"; var D = ""; for (var A = 0; A < C; A++) { pos = Math.floor( (unsafeWindow.random_seeder * (Math.random() * B.length)) % B.length ); D += B.charAt(pos) } return D}And from me, many thanks Raven.V.