The official Chrome extension for the MEGA.nz cloud storage service had been compromised and replaced with a malicious version that can steal users' credentials for popular websites like Amazon, Microsoft, Github, and Google, as well as private keys for users' cryptocurrency wallets.
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company.
Malicious MEGA Chrome Extension Steals Passwords
Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal credentials from sites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The trojanized Mega extension then sent all the stolen information back to an attacker's server located at megaopac[.]host in Ukraine, which is then used by the attackers to log in to the victims' accounts, and also extract the cryptocurrency private keys to steal users' digital currencies.
"You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4," the company warned.
The company also said Google disallowed publishers to sign their Chrome extensions and instead is now relying solely on signing them automatically by Google after the extension is uploaded, which makes it easier for hackers to push new updates same as developers do.
A security researcher, who first reported the breach, also posted a warning on Reddit and Twitter, advising users to avoid the trozanised MEGA extension.
Although the company has not revealed the number of users affected by the security incident, it is believed that the malicious version of the MEGA Chrome extension may have been installed by tens of millions of users.
What MEGA Users Should Do Next?
The Firefox version of MEGA has not been impacted or tampered with, and users accessing MEGA through its official website (https://mega.nz) without the Chrome extension are also not affected by the breach.
Four hours after the security breach, the company learned of the incident and updated the extension with a clean MEGA version (3.39.5), auto-updating all the affected installations.
Google also removed the MEGA extension from its Chrome Web Store five hours after the breach.
However, users should consider their credentials being compromised on websites and applications they visited while the trojanized MEGA Chrome extension was active.
"Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications," the company said.
The Bottom line:
Users who had installed the malicious extension should uninstall the MEGA extension version 3.39.4 right now, and change passwords for all your accounts, especially for those you may have used while having the malicious extension.