Uninstall the MEGA file storage service’s Chrome browser extension now!
MEGA is a cloud storage or a file hosting service offered by Mega Limited, a company based in New Zealand. The service allocates 50GB of cloud storage to its users for free, and up to 8TB for paid accounts.
The official Chrome extension for the MEGA.nz cloud storage service had been compromised and replaced with a malicious version that can steal users’ credentials for popular websites like Amazon, Microsoft, Github, and Google, as well as private keys for users’ cryptocurrency wallets.
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA’s Google Chrome web store account and uploaded a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company.
The Malicious version 3.39.4 Extension Steals Passwords
Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal credentials from sites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform.
The trojanized Mega extension then sent all the stolen information back to an attacker’s server located at megaopac.host in Ukraine, which is then used by the attackers to log in to the victims’ accounts, and also extract the cryptocurrency private keys to steal users’ digital currencies.
“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4,” the company warned.
The company also said Google disallowed publishers to sign their Chrome extensions and instead is now relying solely on signing them automatically by Google after the extension is uploaded, which makes it easier for hackers to push new updates same as developers do.
The official Twitter account of Monero (XMR) also posted a warning about the incident, saying that the malicious MEGA extension also includes functionality to steal Monero cryptocurrency and advising Monero holders to stay away from the extension.
A security researcher, who first reported the breach, also posted a warning on Reddit and Twitter, advising users to avoid the trozanised MEGA extension.
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.
Version: 3.39.4
It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz
— SerHack (@serhack_) September 4, 2018
Although the company has not revealed the number of users affected by the security incident, it is believed that the malicious version of the MEGA Chrome extension may have been installed by tens of millions of users.
What action should Mega users take now?
The Firefox version of MEGA has not been impacted or tampered with, and users accessing MEGA through its official website (https://mega.nz) without the Chrome extension are also not affected by the breach.
Four hours after the security breach, the company learned of the incident and updated the extension with a clean MEGA version (3.39.5), auto-updating all the affected installations.
Google also removed the MEGA extension from its Chrome Web Store five hours after the breach.
However, users should consider their credentials being compromised on websites and applications they visited while the trojanized MEGA Chrome extension was active.
“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications,” the company said.
The Bottom line:
Users who had installed the malicious extension should uninstall the MEGA extension version 3.39.4 right now, and change passwords for all your accounts, especially for those you may have used while having the malicious extension.
Source: TheHackerNews