On Tuesday, a user on Reddit alerted readers that the Chrome extension for the popular file-sharing platform MEGA had been hacked and used to steal users private keys, usernames, and passwords. The attack was later confirmed by both MEGA and Monero.
At roughly 11:30 am EST on Tuesday, Reddit user u/gattacus posted an alert in the /r/Monero subreddit cautioning readers not to use v.3.39.4 of the MEGA Chrome extension because it appeared to have been hacked.
Shortly after the alert appeared on Reddit, Monero issued its own warning through its official Twitter account:
PSA: The official MEGA extension has been compromised and now includes functionality to steal your Monero: https://t.co/vzWwcM9E5k
— Monero || #xmr (@monero) September 4, 2018
How Does the Malware Work?
After obtaining the necessary permissions asked for during the installation of the update (see u/gattacus’ explanation, above), the malware would trigger whenever a user logged into any of a number of predetermined websites. Based on an analysis of the hacked extension’s code, which can be found here, accounts at the following websites were being targeted:
According to ZDNet, once triggered, the malicious code would collect user information including usernames, passwords, email addresses, private keys, and other session data and send it to a server located in Ukraine.
Credit for discovering the hack is being attributed to an Italian developer and Monero contributor who goes by the pseudonym SerHack.
It should be noted that neither the MEGA extension for Firefox nor the MEGA website itself have been affected.
Several hours after the hack had first been reported, New Zealand-based MEGA addressed the incident via a blog post, which they also posted on Twitter:
Security warning for MEGA Chrome Extension users: v3.39.4 was a malicious update from an unknown attacker. This version would request additional permissions. Anyone who accepted them while it was live for 4 hours may have been compromised and should read https://t.co/tW7EDqKIci
— MEGA (@MEGAprivacy) September 5, 2018
The company acknowledged the hack and noted that four hours after the breach was first reported, it had updated the infected extension (v.3.39.4) with a clean version (v.3.39.5), auto-updating affected installations.
Google has since removed the extension from its Chrome Webstore and disabled the MEGA extension for existing users. At present time, clicking on a download link for the extension brings up a ‘404 Page Not Found’ error.
A MEGA.nz spokesperson apologized for the incident and stated that they are “currently investigating the exact nature of the compromise of our Chrome webstore account.”
The company also expressed dissatisfaction with the security measures of Google’s Chrome Webstore, which it believes may have actually aided the hackers in breaching and hijacking the extension:
We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.
Even if you don’t think that you were affected by the hack, MEGA is recommending that all users reset their passwords for the affected services. It is also strongly recommended that cryptocurrency users transfer their funds to new accounts with new private keys.
Were you a victim of the MEGA Chrome extension hack? What measures will you take going forward to protect your important data? Let us know in the comments below.
Images courtesy of Shutterstock, Twitter