MEGA Chrome Extension Compromised To Steal Cryptocurrency
Hackers who compromised the Google Chrome extension for the popular file upload and sharing service MEGA used the same to steal cryptocurrency as well as login credentials, as per reports.
MEGA Chrome extension, which also provides secure cloud storage service, claims to improve browser performance as well, by reducing page loading times. The Company, in a blog post dated September 4, explains, “On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine.”
The blog post clarifies that those using the https://mega.nz without the Chrome extension were not affected by this attack.
However, four hours after the attack happened, MEGA updated the Google Chrome extension with a clean version (3.39.5), thereby auto-updating affected installations. Five hours after the breach, Google removed the extension from the Chrome Webstore, following which it started showing a 404 error for users clicking the link for the extension.
How the hackers steal the login information…
Not all users affected
MEGA clarifies that all users of the MEGA chrome extension wouldn’t be affected. The MEGA blog post states, “You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
MEGA blames Google
MEGA has, in its post, blamed Google for having removed their ability to sign extensions. This, according to MEGA, makes it easier for such attacks to happen.
The MEGA post says-“We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.