MEGA.nz is the Google Chrome extension that offers user file upload and sharing service. According to the information from security researchers, MEGA lost the login credentials and cryptocurrency keys during the hack.
In 2013, this service came into existence by Kim Dotcom, following the demise of MegaUpload which was eliminated from the Chrome Web Store recently.
Mega Extension Lost Private Keys and Login Credentials
On 4th September, SerHack is said to be the first researcher that sounds the alarm posted a warning in a tweet. He said that extension version 3.39.4 was hacked, and the attackers are potentially harvesting user details including login credentials from various platforms such as Amazon, Google, Github, and Microsoft.
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.
— SerHack (@serhack_) September 4, 2018
The hacked Mega Chrome extension was actively monitoring the user information saved in the browser. They were also looking out for URL strings depicting the registration or login forms. The details about such forms have been delivered to Ukraine’s’ unidentified host named “https://www.megaopac.host/”.
The malicious code is also monitoring some particular URLs including
Google Chrome Extension Mega App Statement
To confirm the hack, Mega posted a statement stating,
On 4 September 2018 at 14:30 UTC, an unknown hacker uploaded a trojaned version of Mega’s Chrome extension, version 3.39.4, to the Google Chrome web store.
After installation or auto update, it would ask for elevated permissions (Read and change all your data on the websites you visit) that Mega’s actual extension does not need and would (if permissions were granted) exfiltrate credentials for sites such as amazon.com, live.com, github.com, google.com (for web store login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine.
Note that mega.nz credentials were not being exfiltrated.
On 5th September, another statement was showing up where Mega is blaming Google for eliminating their permission to sign extensions. This will make it simpler for such incidents to happen.
The statement excerpt reads as,
We apologize for this significant incident. Mega is using the severe release procedures together with robust build workflow, multi-party code review, and cryptographic signatures where ever possible.
Unfortunately, Google made a decision disallowing the publisher signatures for Chrome extensions. They are currently relying solely on signing them automatically later uploading to the Chrome web store. This eliminates an important barrier from external compromise.
MEGA sync with our Firefox extension has been signing and hosting by us. This could therefore be a victim facing this attack vector.
While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.
Security researchers were investigating the Firefox extension of Mega. They have not seen evidence of tampering that can support the claims in the statement of Mega.
SerHack also initially notices that the hack places an advice for all Chrome MEGA users to uninstall the extension instantly. He also says that these users should instantly modify all their credentials on any account they have ever used on the browser. Especially those account relating to financial or government information.
Since past few years, there are multiple extensions trying to play safe, however, carries the malicious codes. This permits the hackers to strike the access into the users’ cryptocurrency funds. One recent example is of April 2018. This April, Google removed the cryptocurrency mining extensions from their stores, denying the entry for the new ones.