Security researchers have discovered that the MEGA Chrome extension had been compromised to steal login credentials and cryptocurrency keys. Once it was discovered that the extension was replaced with a malicious variant, Google removed the extension from the Chrome Web Store.

This hack was first discovered by SerHack, a security researcher and contributor to the Monero project, who immediately tweeted a warning that the 3.39.4 version of the MEGA Chrome extension was hacked.  Other security researchers quickly jumped into analyzing the extension and reporting their findings.

When installed the extension will monitor for specific login form submissions to Amazon, Microsoft, Github, and Google.

Monitoring login attempts to various sites
Monitoring login attempts to various sites

It would also perform monitoring of any form submission where the URL contains the strings Register or Login or variables exist that are named "username", "email", "user", "login", "usr", "pass", "passwd", or "password".

Urls containing Register or Login
Steal variables with certain names

If the extension detected any of these form submissions or data variables, it would send the credentials and variables values to a host in Ukraine called https://www.megaopac.host/.

Send information to attackers
Send information to attackers

To make matters worse this extension will also monitor for the url patterns "https://www.myetherwallet.com/*", "https://mymonero.com/*", "https://idex.market/*", and if detected, would execute javascript that would attempt to steal the cryptocurrency private keys for the logged in user from these sites.

Extension's manifest.js
Capture cryptocurrency keys

According the Chrome extension archive site, crx.dam.io, the last version they archived was 3.39.3, which was on September 2nd 2018 and did not include the malicious code. Therefore, this extension was compromised sometime after September 2nd.

Researchers have also examined the Firefox version of MEGA addon and have concluded that it has not been tampered with.

What should you do if you had MEGA installed?

When asked how many users had installed this extension, SerHack told BleepingComputer that there are over 1.6 million affected users.  So this hack obviously has a very large impact.

For those who had this extension installed, you should remove the MEGA extension immediately  You should then change your passwords at any accounts, especially financial, shopping, banking, and government institutions, that you may have used.

Mega issues a statement regarding hacked extension

In a statement by Mega, the company states that their Chrome web store account was hacked and are looking into what happened.

"On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore." stated a blog post on this matter at Mega.nz. "Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated."

They go to further state that since Google removed the ability for publisher's to sign their extensions and must instead rely on Google signing them after the extension is uploaded, it makes it easier for external compromises to occur.

"We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible," the blog post continued. "Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

Related Articles:

NewsGuard Browser Extension Aims to Alert You to Fake News Sites

Google's Removing the file:// Scheme from Chrome's Address Bar

Chrome 69 Shows the WWW & M Subdomains Again, but It’s Only Temporary

Firefox 64 To Add a Report Abuse Option When Removing Extensions

Windows 10 Test Halts Competing Browser Installs, Suggests Edge Instead