WARNING: Latest Update To MEGA Chrome Extension Is A Phishing Attempt

Any user with this extension should immediately delete it, and decline when it asks permissions to read data on all websites.

Jeremy Nation
Sep 4, 2018 · 4 min read

UPDATE: MEGA has issued the following statement:

On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.

Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach.

You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.

Users accessing https://mega.nz without the Chrome extension have not been affected.

We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

We are currently investigating the exact nature of the compromise of our Chrome webstore account.

Initial Coverage:

Today, September 4, 2018, the MEGA cloud storage extension for Chrome was breached as an update shows malicious code added to the extension’s manifest.json and content.js allows the program to steal information from users including private keys to cryptocurrency wallets as well as username and password data from Amazon, GitHub, Google, and Microsoft accounts.

This isn’t the first time the Chrome Store has played host to a phishing extension focused on private keys; earlier this year a malicious version of MetaMask was briefly uploaded to the Chrome store after the real MetaMask add-on was erroneously removed from the store.

It is unclear whether the changes to the MEGA extension are the result of a hack of the team’s Google Webstore account, or whether there was another type of security issue. The last commit to the team’s GitHub was made 4 months ago, and the update that went out today isn’t among those items.

MEGA has yet to respond regarding the breached extension.

Apparently, an update to the MEGA extension prompts the add-on to ask users for permission to read data on all websites. This red flag caused some users to criticize or uninstall the add-on:

Reports of the MEGA extension breach began to spread across social media after Reddit user gattacus spotted the malicious changes to the formerly benign extension’s code. In greater detail, Monero developer SerHack tweeted warnings to the global community to remove the applications, after a review of the code revealed cryptocurrency wallets affected include MyMonero, MyEtherWallet, and Aurora.

Analysis of the code reveals that the data being skimmed by the malicious extension is being forwarded to h[xx]ps://www.megaopac[dot]host/. MetaCert has classified this resource, as well as the link to the MEGA Chrome extension have been classified as malicious. Once again, if you have this extension on your computer uninstall it immediately.

As this case is ongoing, when more details become clear I will update the report.

MetaCert Protocol is the best in the world at one thing — URL Classification.

MetaCert Protocol is decentralizing cybersecurity for the Internet, by defining ownership and URL classification information about domain names, applications, bots, crypto wallet addresses, social media accounts and APIs. The Protocol’s registry can be used by ISPs, routers, Wi-Fi hotspots, crypto wallets and exchanges, mobile devices, browsers and apps, to help address cyber threats such as phishing, malware, brand protection, child safety and news credibility. Think of MetaCert Protocol as the modern version of the outdated browser padlock and whois database combined.

Find out more about the MetaCert Protocol, ask questions, and leave suggestions on both our White Paper and Technical Paper. You can also join our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite to protect yourself from phishing scams before it’s too late.

METACERT

MetaCert builds tools to help protect people from phishing attacks.

Jeremy Nation

Written by

Writer, researcher, and analyst.

METACERT

METACERT

MetaCert builds tools to help protect people from phishing attacks.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade