Mega, the file-sharing website that was quick to gain popularity only to be shunned by its founder years later, has had a major security lapse, as its Chrome extension – on the Chrome Web Store – was updated and replaced with one containing malicious code intended to steal user credentials as well as private keys for cryptocurrency wallets.
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company writes in its blogpost detailing the breach.
As per Mega, the malicious extension specifically targeted websites like Amazon, Live (Microsoft), Github, and Google, among others, to capture user credentials. It also captured private keys for cryptocurrency wallets, targeting services like MyEtherWallet, MyMonero, and Idex.market. Additionally, the company adds:
Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.
The extension sent off any captured information to a server in Ukraine, per Mega’s investigation.
Affected users are those who freshly installed the extension during the timespan it was compromised and those who updated to version 3.39.4 of the extension. Though, that version did request a vastly increased number of permissions, so – even with auto-update enabled – users would have had to accept the new permissions.
Mega says it is still investigating how the perpetrator managed to gain access to its Chrome Web Store account. As for the extension, the company says it took immediate action as soon as it became aware of the lapse:
Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach.
In its blogpost, Mega also points a bit of the blame at Google; “Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company notes.
As of writing, the extension remains missing from the Chrome Web Store.