[German]If you use the MEGA Chrome extension for the file sharing cloud service Mega , you may have a problem. The extension has been hacked to steal credentials.
Advertising
Mega is a cloud-based file sharing service located in New Zealand, which was founded by Kim Schmitz as successor of Megauplod. Meanwhile the company Mega Limited, who operate MEGA, is largely independent of Schmitz.
MEGA Chrome extension version 3.39.4 hacked
In order to be able to access this file sharing service more comfortably in the Google Chrome browser, there is the extension MEGA. Security specialist SerHack recently noticed that this extension is probably compromised. Malicious code steals credentials and crypto keys. As SerHack is working on the Monero project, he immediately published a warning on Twitter that the MEGA extension is compromised in version 3.39.4.
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED. Version: 3.39.4 It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz — SerHack (@serhack_) 4. September 2018
Other security researchers joined in this tweet and shared the results of the analysis. I went through the tweets – the extension seems to steal credentials for Amazon, Microsoft, Github, and Google. If the information that Bleeping Computer has published here is correct, 1.6 million users of the expansion are affected. Meanwhile, MEGA has admitted that their Chrome web shop account has been hacked.
Security warning for MEGA Chrome Extension users: v3.39.4 was a malicious update from an unknown attacker. This version would request additional permissions. Anyone who accepted them while it was live for 4 hours may have been compromised and should read https://t.co/tW7EDqKIci
— MEGA (@MEGAprivacy) 5. September 2018
At the moment they are still investigating what exactly happened. Here is the text of the MEGA statement:
On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated. Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach.
So the Chrome extension has been removed from Google, and also the new version isn't back in Chrome extension store.
Advertising
What to do, if affected?
Normally, the Mega-Extension Version 3.39.5 should have been installed in Google Chrome via an auto-update. If you find the Mega-Extension Version 3.39.4 in Google Chrome, you should uninstall this extension immediately. Afterwards all login information for online accounts (mail, cloud, bank etc.) should be changed.
Mega-Extension Version 3.39.3 is clean
According to the Chrome extension archive page crx.dam.io, the previous version 3.39.3, which was released on September 2, 2018, was archived. An analysis showed that this version did not contain the malicious code. The hack of the Chrome extension MEGA must have happened after September 2, 2018.
For Firefox there is such an extension as well. The security researchers have examined this Firefox version of the MEGA addon and have come to the conclusion that it is clean.
