{"id":6852,"date":"2018-09-06T00:07:00","date_gmt":"2018-09-05T22:07:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=6852"},"modified":"2019-03-25T00:21:18","modified_gmt":"2019-03-24T23:21:18","slug":"chrome-extension-for-mega-hacked","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/09\/06\/chrome-extension-for-mega-hacked\/","title":{"rendered":"Chrome extension for Mega hacked"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/09\/05\/chrome-erweiterung-fr-mega-gehackt-stiehlt-anmeldedaten\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]If you use the MEGA Chrome extension for the file sharing cloud service Mega , you may have a problem. The extension has been hacked to steal credentials.<\/p>\n<p><!--more--><\/p>\n<p>Mega is a cloud-based file sharing service located in New Zealand, which was founded by Kim Schmitz as successor of Megauplod. Meanwhile the company Mega Limited, who operate MEGA, is largely independent of Schmitz. <\/p>\n<h2>MEGA Chrome extension version 3.39.4 hacked<\/h2>\n<p>In order to be able to access this file sharing service more comfortably in the Google Chrome browser, there is the extension MEGA. Security specialist <a href=\"https:\/\/serhack.me\/\" rel=\"noopener noreferrer\" target=\"_blank\">SerHack<\/a> recently noticed that this extension is probably compromised. Malicious code steals credentials and crypto keys. As SerHack is working on the Monero project, he immediately published a warning <a href=\"https:\/\/twitter.com\/serhack_\/status\/1037026672787304450\" target=\"_blank\" rel=\"noopener noreferrer\">on Twitter<\/a> that the MEGA extension is compromised in version 3.39.4. <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!<\/p>\n<p>LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED. Version: 3.39.4 It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch <a href=\"https:\/\/twitter.com\/hashtag\/mega?src=hash&amp;ref_src=twsrc%5Etfw\">#mega<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/extension?src=hash&amp;ref_src=twsrc%5Etfw\">#extension<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/hacked?src=hash&amp;ref_src=twsrc%5Etfw\">#hacked<\/a><a href=\"https:\/\/twitter.com\/x0rz?ref_src=twsrc%5Etfw\">@x0rz<\/a> <a href=\"https:\/\/t.co\/TnPalqj1cz\">pic.twitter.com\/TnPalqj1cz<\/a> \u2014 SerHack (@serhack_) <a href=\"https:\/\/twitter.com\/serhack_\/status\/1037026672787304450?ref_src=twsrc%5Etfw\">4. September 2018<\/a><\/p><\/blockquote>\n<p>Other security researchers joined in this tweet and shared the results of the analysis. I went through the tweets &#8211; the extension seems to steal credentials for Amazon, Microsoft, Github, and Google. If the information that Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mega-chrome-extension-hacked-to-steal-login-credentials-and-cryptocurrency\/\" target=\"_blank\" rel=\"noopener noreferrer\">has published here<\/a> is correct, 1.6 million users of the expansion are affected. Meanwhile, MEGA has admitted that their Chrome web shop account has been hacked. <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">Security warning for MEGA Chrome Extension users: v3.39.4 was a malicious update from an unknown attacker. This version would request additional permissions. Anyone who accepted them while it was live for 4 hours may have been compromised and should read <a href=\"https:\/\/t.co\/tW7EDqKIci\">https:\/\/t.co\/tW7EDqKIci<\/a><\/p>\n<p>\u2014 MEGA (@MEGAprivacy) <a href=\"https:\/\/twitter.com\/MEGAprivacy\/status\/1037202647869218816?ref_src=twsrc%5Etfw\">5. September 2018<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>At the moment they are still investigating what exactly happened. Here is the text of the MEGA statement:  <\/p>\n<blockquote><p>On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated. Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach.<\/p><\/blockquote>\n<p><font color=\"#333333\" size=\"3\">So the Chrome extension has been removed from Google, and also the new version isn't back in Chrome extension store. <\/font><\/p>\n<h2>What to do, if affected?<\/h2>\n<p>Normally, the Mega-Extension Version 3.39.5 should have been installed in Google Chrome via an auto-update. If you find the Mega-Extension Version 3.39.4 in Google Chrome, you should uninstall this extension immediately. Afterwards all login information for online accounts (mail, cloud, bank etc.) should be changed. <\/p>\n<h2>Mega-Extension Version 3.39.3 is clean<\/h2>\n<p>According to the Chrome extension archive page<em> crx.dam.io<\/em>, the previous version 3.39.3, which was released on September 2, 2018, was archived. An analysis showed that this version did not contain the malicious code. The hack of the Chrome extension MEGA must have happened after September 2, 2018. <\/p>\n<p>For Firefox there is such an extension as well. The security researchers have examined this Firefox version of the MEGA addon and have come to the conclusion that it is clean.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]If you use the MEGA Chrome extension for the file sharing cloud service Mega , you may have a problem. The extension has been hacked to steal credentials.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-6852","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=6852"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6852\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=6852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=6852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=6852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}