MEGA Chrome Extension Compromised To Steal Cryptocurrency

Hackers who compromised the Google Chrome extension for the popular file upload and sharing service MEGA used the same to steal cryptocurrency as well as login credentials, as per reports.

MEGA Chrome extension, which also provides secure cloud storage service, claims to improve browser performance as well, by reducing page loading times. The Company, in a blog post dated September 4, explains, “On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine.”

The blog post clarifies that those using the https://mega.nz without the Chrome extension were not affected by this attack.

However, four hours after the attack happened, MEGA updated the Google Chrome extension with a clean version (3.39.5), thereby auto-updating affected installations. Five hours after the breach, Google removed the extension from the Chrome Webstore, following which it started showing a 404 error for users clicking the link for the extension.

How the hackers steal the login information…
Once the MEGA extension on the Google Chrome browser is compromised, it starts actively monitoring the user information in the browser and looks out for URL strings that indicate registration or login forms. The data thus acquired would then be sent to an unidentified host, https://www.megaopac.host/, in Ukraine. The hackers also use the malicious code to monitor for specific URLs like amazon.com, github.com, myetherwallet.com, mymonero.com etc. Once saved information is detected, a javascript function is executed following which attempts are made to steal private crypto keys from users who are logged in.

Not all users affected
MEGA clarifies that all users of the MEGA chrome extension wouldn’t be affected. The MEGA blog post states, “You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

MEGA blames Google
MEGA has, in its post, blamed Google for having removed their ability to sign extensions. This, according to MEGA, makes it easier for such attacks to happen.

The MEGA post says-“We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”