sb-au logo
Story image

MEGA's Chrome extension hacked; third party credentials exposed

06 Sep 2018

Online file sharing site MEGA has issued a warning to users to be wary of a malicious Chrome extension that is masquerading as the real one. MEGA posted a blog this week that an unidentified attacker uploaded a Trojanised version of MEGA’s Chrome extension to Google Chrome webstore. Those who do not use or access MEGA through the Chrome extension are not affected.

The malicious extension claims to be version 3.39.4. When users install it, it then asks for elevated permissions and steals credentials from a number of external sites.

The elevated permissions allow the malicious extension to read and change data on websites that the user visits, and also takes login credentials from amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests.

All of this data is being fed back to a server appearing to be in the Ukraine.

MEGA adds that its own systems and credentials have not been affected by the malicious app.

It took just four hours for MEGA to upload a clean, genuine version to the Chrome webstore, which is version 3.39.5. Google has also taken the malicious app down from its webstore.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” the company says in a blog.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

MEGA says it apologises for this ‘significant incident’ and it is currently investigating how its Chrome webstore account was compromised.

“MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” the company says.

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.”

“MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

Story image
Essential tools for managing user identity and how they impact your bottom line
Customer identity and access management (CIAM) is how companies give their end-users access to their digital properties, as well as how they govern, collect, analyse, and securely store data for those users.More
Story image
Millions of email attacks missed by organisations’ cyber security protection
"While organisations have invested in protection against email threats, many of these attacks slip through gateways, landing in users inboxes."More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
Investing in digital trust for the post-pandemic business landscape
Business leaders in 2021 need to make sustainable investments to give their organisations a much-needed resilience boost to tackle new disruptions, while still enabling growth.More
Story image
Latest Tenable launch provides holistic approach to vulnerability management
Tenable.ep is reportedly the industry’s first, all-in-one, risk-based vulnerability management platform designed to scale as dynamic compute requirements change.More
Story image
2021's Most Wanted: Emotet continues reign as top malware threat 
The Emotet trojan continues to reign as top malware in January, despite international law enforcement taking control of its infrastructure.More