- File-sharing website MEGA’s Chrome extension was compromised, and private user data was stolen.
- An unknown attacker uploaded a Trojan version of the extension on September 4.
- Users who updated the extension to v3.39.4 have been affected.
An unknown attacker compromised the web extension of popular file-sharing website MEGA on September 4 and stole users data who updated to the latest version of the app. Many users spotted the suspicious update to the list of permissions requested by the extension after the update and alerted the company. The updated extension added a new permission access to read and change all data from websites that users visited. Many users did not spot the change and had their data compromised.
The MEGA extension was designed to steal user credentials from websites like Microsoft Live, Amazon, GitHub and Google. Anyone who has been affected by the rogue extension should immediately change their usernames and passwords. Apart from stealing usernames and passwords, the extension was also programmed to steal private keys which provide keys to cryptocurrency wallets. Affected services include MyEtherWallet, MyMonero, and Idex.market.
— SerHack (@serhack_) September 4, 2018
After being notified MEGA investigated and confirmed that the extension had been sending stolen data to a Ukrainian server. so the file-sharing company is currently investigating how the webstore account was compromised, which subsequently allowed a hacker to log in and upload malicious code.
Users who had the MEGA extension in their Chrome browsers with auto-updates enabled have been compromised. The company sent out a warning stating “Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
As reported by the Mega blog post, the extension was taken down and replaced with a clean version four hours after the initial breach occurred. MEGA credentials and users who use the service without the extension are unaffected, and the service is still functional.