Rogue MEGA Chrome Extension Stole Passwords and Crypto Keys
Founded by Kim Dotcom in 2013, the MEGA file-hosting site was an overnight success, attracting hundreds of thousands of users in a matter of hours.
The platform launched on a wave of concerns over Internet snooping so with tight encryption and privacy as a policy, it went on to become a roaring success. Now, however, it’s reporting a serious breach that affects a currently unknown number of users.
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company reports.
MEGA says that whenever a user installed or auto-updated to the rogue extension, it sought permissions that the official extension does not. That included the ability to read and change ALL data on websites the user visits. While for experienced users that should’ve set alarm bells ringing, many people would not have understood the risks. As it turns out, they were huge.
The rogue extension was programmed to steal user credentials for a range of sites including Amazon, Live (Microsoft), Github, and Google’s webstore, meaning that anyone with accounts on these sites could’ve had their usernames and passwords stolen. Things got worse, however.
According to a user posting on Reddit, the extension also has the ability to steal private keys to cryptocurrency wallets affecting MyEtherWallet, MyMonero, and Idex.market utilizing the following code.:
“content_scripts”: [ {
“js”: [ “mega/jquery.js”, “mega/content.js” ],
“matches”: [ “file:///*”, “https://www.myetherwallet.com/*”, “https://mymonero.com/*”, “https://idex.market/*” ],
“run_at”: “document_end”
} ]
In a security update, MEGA confirmed the findings, noting that the extension had been sending credentials to a server located in Ukraine, previously identified by Monero developer SerHack as www.megaopac.host.
@MyMonero @myetherwallet @aurora_dao keys will be logged too! PLEASE UNINSTALL MEGA AS SOON AS POSSIBLE. @fluffypony pic.twitter.com/V8T6NVV8rO
— SerHack (@serhack_) September 4, 2018
https://platform.twitter.com/widgets.js
MEGA says it is currently investigating how its Chrome webstore account was compromised to allow the attacker to upload the malicious code. However, as soon as it became aware of the problems, the company took immediate action.
“Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach,” the company reports.
This serious breach affects two sets of people; those who had the MEGA Chrome extension installed at the time of the incident, had auto-update enabled (and accepted the new elevated permissions), plus anyone who freshly installed version 3.39.4 of the extension.
While credentials for the sites detailed above were specifically targeted, MEGA says that these could be the tip of the iceberg due to the extension attempting to capture information destined for other platforms.
“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications,” the company warns. (see note below)
TorrentFreak contacted MEGA for comment and company chairman Stephen Hall pointed us to technical advice and an apology from the company. MEGA says it has strict release procedures with multi-party code review. However, limitations in place at Google means that security isn’t as tight as it could be.
“Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company notes.
Since MEGAsync and MEGA’s Firefox extension are both signed and hosted by the company, they are unaffected by this attack. MEGA’s mobile apps, which are hosted by Apple, Google, and Microsoft are also unaffected.
Also in the clear is MEGA itself. The extension didn’t have the ability to steal users’ MEGA credentials and any users accessing MEGA without the Chrome extension remain unaffected.
Note: TorrentFreak has asked MEGA for additional clarification on the “plain-text credentials through POST requests” statement and details on why MEGA itself isn’t at risk. We’ll update when we receive a response.
Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.
Leave a Reply
Want to join the discussion?Feel free to contribute!