The MEGA.nz chrome extension has fallen prey to hackers and has been compromised to steal usernames and password in addition to private keys of their cryptocurrency accounts. The malicious behaviour has been observed in the MEGA.nz Chrome extension version 3.39.4 which had been released as an update to its users yesterday.
The aim and purpose of the MEGA.nz Chrome extension is to supposedly improve their user’s browser performance which it does so by reducing their page load times and integrating with their secure cloud storage service.
The official Monero (XMR) Twitter account posted a tweet yesterday in an attempt to raise awareness about the chrome extension being comprised so that its users don’t experience a rude awakening down the line.
The blog post by MEGA made note of the timings between which the chrome extension was hacked and the sites for which users credentials would have been compromised. The blog post reads:
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”
A new and clean version (3.39.5) of the chrome extension has since been released that seeks to rectify the auto-updating affected installations, although it was removed from the Chrome webstore by Google five hours after the breach. The blog post also went on to outline which users would have been affected by the Chrome extension being compromised and stated:
“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, auto update enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
MEGA seems to be stuck between a rock and a hard place as Google has decided to ‘disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise’. Fortunately for MEGA, the breach did not seem to extend to its extension for the Firefox browser along with its mobile apps hosted by Apple, Google and Microsoft.