MEGA's Chrome extension hacked; third party credentials exposed
Online file sharing site MEGA has issued a warning to users to be wary of a malicious Chrome extension that is masquerading as the real one. MEGA posted a blog this week that an unidentified attacker uploaded a Trojanised version of MEGA's Chrome extension to Google Chrome webstore. Those who do not use or access MEGA through the Chrome extension are not affected.
The malicious extension claims to be version 3.39.4. When users install it, it then asks for elevated permissions and steals credentials from a number of external sites.
The elevated permissions allow the malicious extension to read and change data on websites that the user visits, and also takes login credentials from amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests.
All of this data is being fed back to a server appearing to be in the Ukraine.
MEGA adds that its own systems and credentials have not been affected by the malicious app.
It took just four hours for MEGA to upload a clean, genuine version to the Chrome webstore, which is version 3.39.5. Google has also taken the malicious app down from its webstore.
"You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4," the company says in a blog.
"Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.
MEGA says it apologises for this 'significant incident' and it is currently investigating how its Chrome webstore account was compromised.
"MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible," the company says.
"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.
"MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.