A rogue version of file-hosting platform MEGA’s Chrome extension has triggered a major security alert from the company. The variant, first discovered by a contributor to the Monero project on September 4, 2018, was able to steal login information and private keys to cryptocurrency wallets.
MEGA Chrome Extension Compromised
The MEGA Chrome extension version 3.39.4 has been compromised and can now steal user’s Monero in addition to other sensitive information such as login information for Amazon, Live.com, Github.com, and Google’s webstore, according to recent posts on Twitter and Reddit.
MEGA Chrome extension is a tool that claims to improve browser performance by reducing page loading times, in addition to providing a secure cloud storage service.
On September 4, 2018, concerned individuals took to social media to warn about a malicious code that had infiltrated MEGA’s chrome extension, which has been downloaded tens of millions of times across the globe.
While at first many believed that the hack only affected websites such as Facebook, Google, and Amazon, security researches quickly noted that that the updated MEGA extension could grab sensitive data from crypto-related sites as well.
This hack was first discovered by SerHack, a security researcher and contributor to the Monero project, who immediately tweeted a warning.
“It catches your username and password from Amazon, GitHub, Google, Microsoft portals!!,” he said in a tweet.
Ricardo Spagni, a well-known Monero developer, backed up this claim, telling his followers that Monero and Ethereum private keys could be stolen via the combination of MEGA Chrome (version 3.39.4 specifically) and the MyMonero and MyEtherWallet storage solutions.
“Confirmed that it also extracts private keys if you log in to MyMonero and MyEtherWallet in a browser with the extension installed,” Spagni tweeted in response to SerHack.
The official Twitter account of Monero (XMR) posted a warning, also advising XMR holders to steer clear of MEGA.
MEGA was also quick to respond, saying that an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension to the Google Chrome webstore.
What Happened?
According to MEGA, the rogue extension was programmed to steal user credentials for a range of sites including Amazon, Live (Microsoft), Github, and Google’s webstore, meaning that anyone with accounts on these sites could’ve had their usernames and passwords stolen.
The company also noted that whenever a user installed or auto-updated the rogue extension, it sought permissions that the official extension didn’t, effectively allowing it to read and change all of the data on websites the user visits.
A user posting on Reddit revealed that the extension was also able to steal private keys to cryptocurrency wallets affecting MyEtherWallet, MyMonero, and Idex.market.
MEGA was able to confirm the findings, noting that the extension had been sending credentials to a server located in Ukraine, which Monero developer SerHack identified as being www.megaopac.host.
The company believes that Google’s strict release procedures with multi-party code review loosened security and lead to the hack.
“Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company notes.
Since MEGAsync and MEGA’s Firefox extension are both signed and hosted by the company, they are unaffected by this attack. MEGA’s mobile apps, which are hosted by Apple, Google, and Microsoft are also unaffected.
Google employees have since taken action by removing the extension from the Chrome Store and also temporarily disabling the extension for users who already have it installed.