A popular Google Chrome extension for file-sharing service MEGA has been compromised by a group of hackers who managed to steal users private keys, usernames, and passwords.
On September 4, a researcher named SerHack was the first one to send out an alert via Twitter mentioning the hacked extension. He noticed that the tool potentially harvested user credentials from various platforms, including Microsoft, Github, Google, Amazon, MyEtherWallet, MyMonero, IDEX.market, and Live,
The hacker uploaded the malicious version of the browser extension, i.e., version 3.39.4 in an effort to gain access to different websites. The passwords were then sent to a Ukraine-based server.
MEGA has released a statement and confirmed the hack, “On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome Webstore. Upon installation or auto update, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”
However, MEGA has blamed Google for this incidence as they have removed publisher signatures on Chrome extensions and making it easier for hackers to attack.
“We would like to apologize for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.”
“MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”
The best way to stay safe from this kind of attack is to not download any extension you won’t need.