Chrome extension for Mega hacked

[German]If you use the MEGA Chrome extension for the file sharing cloud service Mega , you may have a problem. The extension has been hacked to steal credentials.


Mega is a cloud-based file sharing service located in New Zealand, which was founded by Kim Schmitz as successor of Megauplod. Meanwhile the company Mega Limited, who operate MEGA, is largely independent of Schmitz.

MEGA Chrome extension version 3.39.4 hacked

In order to be able to access this file sharing service more comfortably in the Google Chrome browser, there is the extension MEGA. Security specialist SerHack recently noticed that this extension is probably compromised. Malicious code steals credentials and crypto keys. As SerHack is working on the Monero project, he immediately published a warning on Twitter that the MEGA extension is compromised in version 3.39.4.

Other security researchers joined in this tweet and shared the results of the analysis. I went through the tweets – the extension seems to steal credentials for Amazon, Microsoft, Github, and Google. If the information that Bleeping Computer has published here is correct, 1.6 million users of the expansion are affected. Meanwhile, MEGA has admitted that their Chrome web shop account has been hacked.

At the moment they are still investigating what exactly happened. Here is the text of the MEGA statement:

On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including,,, (for webstore login),,, and HTTP POST requests to other sites, to a server located in Ukraine. Note that credentials were not being exfiltrated. Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach.

So the Chrome extension has been removed from Google, and also the new version isn't back in Chrome extension store.


What to do, if affected?

Normally, the Mega-Extension Version 3.39.5 should have been installed in Google Chrome via an auto-update. If you find the Mega-Extension Version 3.39.4 in Google Chrome, you should uninstall this extension immediately. Afterwards all login information for online accounts (mail, cloud, bank etc.) should be changed.

Mega-Extension Version 3.39.3 is clean

According to the Chrome extension archive page, the previous version 3.39.3, which was released on September 2, 2018, was archived. An analysis showed that this version did not contain the malicious code. The hack of the Chrome extension MEGA must have happened after September 2, 2018.

For Firefox there is such an extension as well. The security researchers have examined this Firefox version of the MEGA addon and have come to the conclusion that it is clean.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *