The MEGA Chrome extension version for the MEGA.nz cloud storage service had been compromised and was replaced with a malicious version that can steal users’ credentials for popular websites like Amazon, Microsoft, Github, and Google, as well as private keys for users’ cryptocurrency wallets.
The hacking occurred on 4 September when an unknown attacker managed to enter into MEGA’s Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store.
Malicious MEGA Chrome Extension Steals Passwords
During installation or auto-updating, the malicious extension asked for permissions to access personal information, thereby permitting it to steal credentials from sites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform.
This trojanized Mega extension then sent all the stolen information back to an attacker’s server located at megaopac[.]host in Ukraine. The attackers then use this to log in to the victims’ accounts, and also extract the cryptocurrency private keys to steal users’ digital currencies.
Google disallowed publishers to sign their Chrome extensions and instead is now relying solely on signing them automatically by Google after the extension is uploaded, which makes it easier for hackers to push new updates same as developers do.
Monero (XMR) had posted a warning in their official Twitter account regarding the incident, saying that the malicious MEGA extension also includes functionality to steal Monero cryptocurrency and advising Monero holders to stay away from the extension.
One of the security researchers who have reported this breach has posted a warning on Reddit and Twitter, advising users to avoid the trojanised MEGA extension.
The company however did not reveal the number of users affected by the security incident, but it is believed that the malicious version of the MEGA Chrome extension may have been installed by tens of millions of users.
What MEGA Users Should Do Next?
The Firefox version of MEGA has not been impacted or tampered with, and users accessing MEGA through its official website (https://mega.nz) without the Chrome extension are also not affected by the breach.
On knowing about the breach, the company updated the extension with a clean MEGA version (3.39.5), auto-updating all the affected installations.
Google has also removed the MEGA extension from its Chrome Web Store soon after the breach. But the users should still be cautious that their credentials have been compromised on websites and applications they visited while the trojanized MEGA Chrome extension was active.
Users who had installed the malicious extension should uninstall the MEGA extension version 3.39.4 at the earliest and change passwords for all your accounts, especially for those you may have used while having the malicious extension.