Story image

MEGA's Chrome extension hacked; third party credentials exposed

06 Sep 18

Online file sharing site MEGA has issued a warning to users to be wary of a malicious Chrome extension that is masquerading as the real one.

MEGA posted a blog this week that an unidentified attacker uploaded a Trojanised version of MEGA’s Chrome extension to Google Chrome webstore. Those who do not use or access MEGA through the Chrome extension are not affected.

The malicious extension claims to be version 3.39.4. When users install it, it then asks for elevated permissions and steals credentials from a number of external sites.

The elevated permissions allow the malicious extension to read and change data on websites that the user visits, and also takes login credentials from amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests.

All of this data is being fed back to a server appearing to be in the Ukraine.

MEGA adds that its own systems and credentials have not been affected by the malicious app.

It took just four hours for MEGA to upload a clean, genuine version to the Chrome webstore, which is version 3.39.5. Google has also taken the malicious app down from its webstore.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” the company says in a blog.


“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

MEGA says it apologises for this ‘significant incident’ and it is currently investigating how its Chrome webstore account was compromised.

“MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” the company says.

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.”

“MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

London coworking space teams with Global Cyber Alliance
A London-based coworking space is about to become a major cybersecurity innovation hub and a primary UK landing pad for security challenge winners.
Comms providers hit by most DDoS attacks in Q3 2018
New data indicates attackers preyed on the large attack surface of ASN-level communications service providers with a ‘bit-and-piece’ approach.
Check Point launches hyperscale network security solution
With Check Point Maestro, organisations can scale up their existing Check Point security gateways on demand.
Should AI technology determine the necessity for cyber attack responses?
Fujitsu has developed an AI that supposedly automatically determines whether action needs to be taken in response to a cyber attack.
Trend Micro’s telecom security solution certified as VMware-ready
Certification by VMware allows communications service providers who prefer or have already adopted VMware vCloud NFV to add network security services from Trend Micro.
Frost & Sullivan honours Honeywell's IIoT value creation
Frost & Sullivan has awarded Honeywell with the 2018 Global Customer Value Leadership Award for its work protecting industrial internet of things (IIoT) customers.
Top cybersecurity threats of 2019 – Carbon Black
Carbon Black chief cybersecurity officer Tom Kellermann combines his thoughts with those of Carbon Black's threat analysts and security strategists.
Google's €50m fine a wake up call for big data analytics
Data analytics are essential to company growth, competitive differentiation, and innovation. But there’s now a huge challenge.