MEGA Chrome browser extension hacked, bogus version stole users’ credentials

Pierluigi Paganini September 06, 2018

The MEGA Chrome browser extension had been hacked and replaced with a one that steals users’ credentials for popular web services

Are you using the MEGA Chrome browser extension? Uninstall it now because the Chrome extension for MEGA file storage service had been hacked and replaced with a one that steals users’ credentials for popular web services (i.e. Amazon, Microsoft, Github, and Google) and private keys for cryptocurrency wallets (i.e. MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform.).

According to Mega, on 4 September at 14:30 UTC, an attacker hacked into the company Google Chrome web store account and uploaded a malicious version 3.39.4 of the extension.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore.” reads the security advisory published by Mega.

“Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”

Once installed, or after an auto-update, the malicious Mega Chrome extension asked for elevated permissions to steal the sensitive data and send it back a server controlled by the attackers that is located in Ukraine (megaopac[.]host).

After four hours the security breach, Mega updated a clean version (3.39.5) on the store, and affected installations were auto updated., Google removed the malicious extension from the Chrome webstore five hours after the breach.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4,” continues the advisory.

Mega highlighted that Google disallowed publishers to sign their Chrome extensions and opted to rely solely on signing them automatically once the extension is uploaded, opening the door to similar compromise.

The Italian security researcher who handles the Twitter account @serhack_ first reported the breach on both Reddit and Twitter.

At the time it is not clear how many users have installed the malicious MEGA Chrome browser extension, experts speculate tens of millions of users. may have been affected.

The Firefox version of MEGA has not been compromised and Users accessing https://mega.nz without the Chrome extension have not been affected.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” the company added.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

Users who had installed the malicious MEGA Chrome browser extension must uninstall the version 3.39.4 and change passwords for all their accounts.

@SerHack published an interesting post on the hack, I suggest you read it.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  MEGA Chrome browser extension, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment