The Official MEGA Chrome Extension has been hacked according to security reports, until the issue has been resolved all users should uninstall it immediately. The version offered on The Chrome Web Store has been replaced by a malicious instance that hijacks sensitive account credentials for multiple services. An investigation into the incident is ongoing.
The MEGA Chrome Extension Has Been Compromised, Delete it ASAP
All computer users using the MEGA Chrome extension should remove it as the file sharing service reported that their official plugin has been replaced with a malware clone. The news about the incidents were posted on MEGA’s official blog, the information shows that on September 4 2018 at 14:30 an unknown hacker (or criminal collective) was able to upload the dangerous extension. This means that all users that have had the official extension installed on their browsers will receive the updated Trojan version.
The update will trigger a notification prompt requesting elevated permissions (Read and change all your data on the websites you visit), this is one of the indicators that a malicious instance has been installed. If this is done the built-in credentials theft will begin. Built-in commands and scripts will look for any stored account credentials to popular services and harvest them. All extracted information will be immediately reported to a hacker-controlled server located in Ukraine. A list of the target services includes the following:
- Amazon
- GitHub
- Live.com
- Google Webstore Login
- My Ether Wallet
- My Monero
- IDEX Market
- Other web services
Users are vulnerable in two cases:
- If they have the old MEGA Chrome extension installed, enabled autoupdates and accepted the requested additional permissions by the malware version.
- If they freshly install the malicious version.
The proposed criminal behavior is to use the hijacked credentials and perform various crimes, including identity theft and financial abuse. It is believed that the extension is primarily aimed against cryptocurrency services, the harvested account name and passwords are used to hijack the victim’s wallets. Access to the private keys would allow the criminals to transfer all assets to their own accounts.
After Google and MEGA received reports of the infections the MEGA Chrome extension was taken down and later replaced by the legitimate version. Even though the incident was short-lived thousands of users are potentially affected. According to MEGAs’s announcement one of the reasons why the criminals have been able to hijack it is because Google decided to disallow publisher signatures for Chrome extensions. They are relying on signing them automatically following their upload. MEGA states that this is a removal of a barrier allowing external compromise. There is still no information on how exactly this mechanism was abused into allowing the fake extension into the official repository. For more information on the matter you can read the service’s official message here.
While it it is safe to use the newest version which is the official version there is still the possibility of overwritting it once again. Until more information is available about the cause of the incident we recommend that all users disallow the use of the MEGA Chrome extension.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: