Official browser extension Mega stole data and cryptocurrency of file sharing users
Many modern services have their own applications and browser extensions. The file-sharing service MEGA, which was created by the well-known Kim Dotcom, is no exception. This service appeared to replace Megaupload, which was closed by the US government, and has been operating for several years without any problems. Of course, right holders have some questions about the legality of placing some files, but due to the nature of the service’s work, copyright advocates cannot do anything with it yet.
But the other day MEGA got it wrong - its extension for the Chrome browser was compromised. The attackers modified the extension with a code that turned Mega into a thief of user data and cryptocurrency.
Now we are aware of a problem with the expansion of version 3.39.4, which was posted in the Chrome directory just a few days ago. Google representatives have already intervened and removed the extension from the Chrome Web Store. It was also deactivated for all users of the Google browser. If someone uses this plugin, it is better to double-check if it is disabled.
After a detailed study of the extension, it was discovered that it activated its “hidden talent” on such sites and services as Amazon, Google, Microsoft, GitHub, MyEtherWallet and MyMonero. In addition, it worked on the IDEX trading platform, which is a cryptocurrency exchanger.
On these services, the extension recorded logins, user passwords, as well as other session data that could be useful to attackers to use the victims ’accounts for their own purposes. In particular, the authors of the extension could send victims to their cryptocurrency wallet because they could extract the private keys needed for this.
All information was transmitted to the server megaopac.host, physically located on / in Ukraine.
After the incident, representatives of MEGA commented on the situation. In particular, they said that version 3.39.4 was uploaded to the Chrome Web Store on September 4, 2018. Now it has already been neutralized, which was already mentioned earlier, and the company has uploaded a new version of the extension, v3.39.5. It appeared 4 hours after the problem became known.
“We would like to apologize for the problem. Now we are studying the cause of what happened, ” said representatives of MEGA. In its blog, the company regretted that Google decided to deactivate the “signatures” of the extension's publishers, and now the check is performed when the new extensions are automatically downloaded to the Web Store. According to some experts, the update in the security rules for working with extensions reduced the level of protection for their users.
For example, the MEGA extension for Firefox is signed and stored on the server of the company itself, which, of course, does not nullify the likelihood of compromise, but it still significantly reduces it.
In principle, this is not the first case of hacking "white" extensions for Chrome. So, last year it became aware of the compromise of Web Developer, an extension designed for developers. It is very popular, a year ago the number of Web Developer users was about a million. Apparently, the popularity of expansion and attracted burglars.
Then the attacker was able to get at his disposal the author’s account of Web Developer, after which he managed to add his own code. After the modified extension was uploaded to the Web Store, any of its users were automatically infected. By the way, a year ago, the problem was also quickly identified and localized - only three hours passed from the moment of detection of a hack to the elimination of an infected extension.