The MEGA Google Chrome extension has been hacked to steal and hijack login credentials and various forms of cryptocurrency.
Over 1.6 million individuals were infected with the malicious MEGA extension within a 24-hour period. The attack was first noticed by SerHack, a security researcher identified in relation to the Monero project, whom tweeted a warning that the extension was hacked. When installed, the malicious extension will monitor browsing activities and search for login submissions to Microsoft, Github, Google, and even Amazon, and hijack credentials once submitted. The malicious extension would not execute, however, until elevated permissions were granted, which MEGA would never request.
That this means for those that have MEGA:
Mega.nz has officially noticed the hack, and since replaced the extension in the Chrome Webstore with a clean one as of today’s date. Simply remove the old one, and install the new extension.
Mega.nz did release a statement, and have identified that Google’s change in policy for signed extensions has reduced security standards within the Chrome Webstore:
“We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” the blog post continued. “Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”