Story image

MEGA's Chrome extension hacked; third party credentials exposed

06 Sep 2018

Online file sharing site MEGA has issued a warning to users to be wary of a malicious Chrome extension that is masquerading as the real one. MEGA posted a blog this week that an unidentified attacker uploaded a Trojanised version of MEGA’s Chrome extension to Google Chrome webstore. Those who do not use or access MEGA through the Chrome extension are not affected.

The malicious extension claims to be version 3.39.4. When users install it, it then asks for elevated permissions and steals credentials from a number of external sites.

The elevated permissions allow the malicious extension to read and change data on websites that the user visits, and also takes login credentials from amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests.

All of this data is being fed back to a server appearing to be in the Ukraine.

MEGA adds that its own systems and credentials have not been affected by the malicious app.

It took just four hours for MEGA to upload a clean, genuine version to the Chrome webstore, which is version 3.39.5. Google has also taken the malicious app down from its webstore.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” the company says in a blog.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

MEGA says it apologises for this ‘significant incident’ and it is currently investigating how its Chrome webstore account was compromised.

“MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” the company says.

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.”

“MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

Huawei talks P Series history - and drops hints on the P30
Next week will see the covers come off the new Huawei P30 Series at a special launch event held at the Paris Convention Center.
Hands-on review: Xiaomi’s Mi Mix 3 and the Amazfit Bip
You’ll probably be sad to see another device say ‘farewell’ to the 3.5mm headphone jack. Fortunately though, as mentioned, Xiaomi were kind enough to include an adapter in the box.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."
Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Instagram: The next big thing in online shopping?
This week Instagram announced a new feature called checkout, which allows users to buy products they find on Instagram.
Google's Stadia: The new game streaming platform intertwined with YouTube
Move over Steam, Uplay, Origin and all the other popular gaming platforms – Google has thrown its hat in the ring and entered the game streaming market.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
How AI can transform doodles into photorealistic landscapes
The tool leverages generative adversarial networks, or GANs, to convert segmentation maps into lifelike images.