Story image

MEGA's Chrome extension hacked; third party credentials exposed

06 Sep 2018

Online file sharing site MEGA has issued a warning to users to be wary of a malicious Chrome extension that is masquerading as the real one.

MEGA posted a blog this week that an unidentified attacker uploaded a Trojanised version of MEGA’s Chrome extension to Google Chrome webstore. Those who do not use or access MEGA through the Chrome extension are not affected.

The malicious extension claims to be version 3.39.4. When users install it, it then asks for elevated permissions and steals credentials from a number of external sites.

The elevated permissions allow the malicious extension to read and change data on websites that the user visits, and also takes login credentials from amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests.

All of this data is being fed back to a server appearing to be in the Ukraine.

MEGA adds that its own systems and credentials have not been affected by the malicious app.

It took just four hours for MEGA to upload a clean, genuine version to the Chrome webstore, which is version 3.39.5. Google has also taken the malicious app down from its webstore.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” the company says in a blog.


“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

MEGA says it apologises for this ‘significant incident’ and it is currently investigating how its Chrome webstore account was compromised.

“MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” the company says.

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.”

“MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
Facebook fights fake news ahead of Africa elections
“We also show related articles from fact-checkers for more context and notify users if a story they have shared is rated as false.”
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.