Slashdot Mirror

← Back to Stories (view on slashdot.org)

Official Chrome Extension of Cloud Storage Service Mega Caught Stealing Passwords, Cryptocurrency Private Keys (zdnet.com)

Posted by msmash on from the security-woes dept.

The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet reports. From the report: The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform. The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.

59 comments

  1. Malicious Code by divide+overflow · · Score: 1

    So who put that code in the source?

    1. Re: Malicious Code by Anonymous Coward · · Score: 0

      Kim dot com.

    2. Re:Malicious Code by Anonymous Coward · · Score: 1

      So who put that code in the source?

      The 'source', of course. Yeah, I'll show myself the door now.

    3. Re:Malicious Code by rudy_wayne · · Score: 1

      I don't understand. Why do I need an extension? I can access Mega with my browser just fine without any extensions. What sort of fucktardedness is this?

    4. Re:Malicious Code by Gabest · · Score: 1

      Because it says http cache is full and cannot get rid of it.

  2. They didn't steal my by q4Fry · · Score: 0

    ...Frosty piss

  3. That's no backdoor! by Anonymous Coward · · Score: 0

    It's our security services protecting us from pedophiles.

  4. "So THIS is what Hobbit flesh tastes like!" by Anonymous Coward · · Score: 0, Offtopic

    "So THIS is what Hobbit flesh tastes like!" cried Gandalf.

    Gollum chuckled as he and Gandalf, secret friends from the start, masturbated with Hobbit meat over a roaring fire.

  5. Chrome Extensions = Russian Roulette by bogie · · Score: 2

    Chrome has a terrible record for this. And the worst part is I use Chrome. Have a bunch of extensions I count on daily. I'm guessing the Ublock Origin extension is safe but for my and your other less popular but still super helpful extensions you and I are taking HUGE risks every day by using them.

    Get your shit together Google.

    --
    If you wanna get rich, you know that payback is a bitch
    1. Re:Chrome Extensions = Russian Roulette by Anonymous Coward · · Score: 2, Insightful

      You can't count on Google to patrol everything compatible with them. You should ONLY install extensions from known-good developer shops. The fact that something this widespread was a trojan is BAD NEWS, you're right.

    2. Re:Chrome Extensions = Russian Roulette by Sloppy · · Score: 1

      Get your shit together Google.

      WTF. Google recommended people use this extension?! The article left that out.

      If you want someone else to adjudicate what software is good/bad for you, perhaps you might be happier with an iPad or XBox or PlayStation.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    3. Re:Chrome Extensions = Russian Roulette by Jerry · · Score: 4, Interesting

      moz-extension://a90b9c76-acf4-4c11-9730-76c34d348fef/mega/secure.html#blog_47

      "On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated. ...

      We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

      --

      Running with Linux for over 20 years!

    4. Re:Chrome Extensions = Russian Roulette by johnsie · · Score: 1

      How do you know if a developer shop is "good"?

  6. This by DontBeAMoran · · Score: 1, Insightful

    This kind of crap is why I never install any extensions.

    --
    #DeleteFacebook
    1. Re:This by Anonymous Coward · · Score: 0

      Yeah but itâ(TM)s a sad day when you are proven right by a warez extension.

    2. Re:This by Anonymous Coward · · Score: 0

      Shady people are doing shady things... shocker?

    3. Re:This by Anonymous Coward · · Score: 1

      This kind of crap is why I never install any extensions.

      Really? Because without certain kinds of extensions/add-ons, the web is really pretty much unusable.

      Right now in my Chrome, I have 4 different privacy plugins to block the living shit out of the ad companies, trackers, and other parasites.

      I can mark sites as not being able to set cookies, run scripts, and in some cases, not be contacted at all (Facebook, Twitter, etc).

      I wouldn't use the internet if I didn't have plugins to block all of this shit.

      This just sounds like a very shady company acting like blatant assholes, and in dire need of having their gonads fed to them .. or being grossly incompetent, and getting hacked, and in dire need of having their gonads fed to them.

    4. Re:This by mdm-adph · · Score: 1

      You don't need any plugins at all to do all that. I browse the web with no plugins at all.

      Get you a pihole (https://pi-hole.net/), and do that at the dns level.

      --
      It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
    5. Re:This by Anonymous Coward · · Score: 0

      This kind of crap is why I never install any extensions.

      Really? Because without certain kinds of extensions/add-ons, the web is really pretty much unusable.

      Thanks to all the retarded fuckwad developers at Google, Mozilla, Microsoft and Apple who absolutely refuse to make a browser with the features that are needed.

    6. Re:This by Anonymous Coward · · Score: 1

      Don't worry, Firefox is getting around that with DNS over HTTPS, to satisfy the advertisers who financially back the Mozilla Foundation.

    7. Re:This by Anonymous Coward · · Score: 0

      That doesn't block all malicious content, you are mistaken. Pi-hole is good, but it doesn't replace browser-level blocking requirement for tracking purposes - or security purposes. That's retarded to rely on it 100%.

      Extensions are required to browse securely. Anyone who pretends Chrome is somehow immune to drive-by because of a pi-hole doesn't understand what they're used for or how they work, or are limited.

  7. Skim by Anonymous Coward · · Score: 1

    Did he change his name to Skim Dotcom now?

    1. Re: Skim by Anonymous Coward · · Score: 0

      He hasn't owned Mega since 2013 so fuck off.

    2. Re: Skim by Anonymous Coward · · Score: 0

      Two years later, in 2015. And then he claimed the NZ government had taken over control and ownership? Well, who knows...

  8. Huh? by Opportunist · · Score: 1

    I thought Kimmie doesn't own Mega anymore?

    Looks like someone wants to let the legacy live on...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Huh? by baker_tony · · Score: 1

      Mega is his new site.
      MegaUpload is the one that was taken down.

    2. Re:Huh? by GWXerog · · Score: 2

      Kim lost control of Mega several years ago. It's owned by some Chineese company now

    3. Re:Huh? by dissy · · Score: 1

      I thought Kimmie doesn't own Mega anymore?

      Correct, the New Zealand government seized it back in 2015 and are the current owners.
      It's day to day operations are performed by a Chinese investor.

      It was on Slashdot
      https://yro.slashdot.org/story/15/07/27/200204/interviews-kim-dotcom-answers-your-questions

      Dotcom: I'm not involved in Mega anymore. Neither in a managing nor in a shareholder capacity. The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud. He used a number of straw-men and businesses to accumulate more and more Mega shares. Recently his shares have been seized by the NZ government. Which means the NZ government is in control. In addition Hollywood has seized all the Megashares in the family trust that was setup for my children. As a result of this and a number of other confidential issues I don't trust Mega anymore. I don't think your data is safe on Mega anymore. But my non-compete clause is running out at the end of the year and I will create a Mega competitor that is completely open source and non-profit, similar to the Wikipedia model. I want to give everyone free, unlimited and encrypted cloud storage with the help of donations from the community to keep things going.

    4. Re:Huh? by baker_tony · · Score: 3, Interesting

      Interesting:
      "The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud," said Dotcom.
      "He used a number of straw-men and businesses to accumulate more and more Mega shares. Recently his shares have been seized by the NZ government. Which means the NZ government is in control."

    5. Re:Huh? by GWXerog · · Score: 1

      INTERDAST

  9. unsigned extensions by ftobin · · Score: 4, Interesting

    I guess Firefox is smart in requiring signed extensions:

    "Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

    1. Re:unsigned extensions by EndlessNameless · · Score: 2

      This is just massively stupid.

      So if Google accepts an illegitimate "official" upload, there is no way to verify. Maybe it wasn't MEGA, maybe someone compromised their account---or maybe the Chrome extension site got hacked (and Google hasn't even noticed yet). Without the developer's signature, there's no way for an outside party to be sure that they submitted an app full of malware.

      Whoever signs the code owns the problem. If Google doesn't want to be held accountable, they shouldn't be signing extensions.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:unsigned extensions by The+MAZZTer · · Score: 1

      Funny thing, is, Chrome requires a signature too, but I guess Google thought it was too complicated for developers and abstracted it away (the web store signs it for you on upload. Of course, even if Google switched to requiring devs to sign with their own keys, it doesn't matter if you sell your extension to someone; they'll just switch to asking for your key as part of the deal.

    3. Re:unsigned extensions by viperidaenz · · Score: 2

      Google signs them to prove the official account uploaded the extension.
      If mega lost control of their account, what makes you think they wouldn't have lost their private signing key if one was required?

    4. Re:unsigned extensions by ftobin · · Score: 1

      Signing code is a different workflow than uploading to Google. Also, why not just let both Google and the publisher sign the code, which each signature imparting different meaning?

    5. Re:unsigned extensions by viperidaenz · · Score: 1

      Who's going to verify the publishers signature?
      You'll need someone you trust to hold the relevant public keys. How is the browser going to know where to find the public key to verify the publishers signature? From a copy held by the Chrome Store? Uploaded using the publishers account, which is what was compromised?
      Or verify that Google has signed their signing certificate? Signed using the publishers account to verify their identity?

      The application can't do it itself, as that's what is compromised.

      You haven't thought this through end to end have you?

    6. Re:unsigned extensions by ftobin · · Score: 1

      Compromising the account does not imply that the PKI is also compromised. Updating the public key can require a stringent protocol.

    7. Re:unsigned extensions by viperidaenz · · Score: 1

      And the managing of the account that allows anyone who controls it to send automatic updates of arbitrary code to hundreds of thousands, perhaps millions of customer devices, is not as important?

      Do you also realise that having the publisher sign the code too requires the device to explicitly trust the publisher, or trust someone else who has signed their certificate?

      Mozilla realised this is pointless, you may as well sign it with the party the browser already trusts. You don't sign your own extensions anymore. You use an API to have Mozilla sign them now. This changed in Firefox 43, back in 2015. It's great to see you've kept up with things.
      https://developer.mozilla.org/...

    8. Re:unsigned extensions by ftobin · · Score: 1

      I'll simlply defer to what MEGA stated:

      MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

    9. Re:unsigned extensions by viperidaenz · · Score: 1

      So they signed something that no one is going to check.

      Yeah, i'd trust them with security.

  10. Wouldn't be surprised if the NSA put that code in. by Anonymous Coward · · Score: 0

    Just as payback for him fighting their terrorism.

    I mean it IS an age-old strategy, mentioned in the Snowden leaks, and used even by private companies nowadays. Just slip incriminating evidence onto somebody's systems, and call the cops on him anonymously. With a software company, something like this here is of course a much more effective strategy to ruin them.

  11. And here's another issue by Artem+S.+Tashkinov · · Score: 2

    In Firefox you can disable automatic addons updates and have their new version scanned at least via virustotal which is not a warranty that they are innocuous but at least something. In Chrome extensions updates are fully automatic and if the extension owner has his account hacked (or extensions are sometimes sold) a new version of an extension with new virus "features" might be pushed, "checked" automatically by Google and since their systems often miss malware then you're fucked.

    That's the reason why for banking I have a separate Firefox account with just uBlock Origin and nothing else.

    1. Re:And here's another issue by Artem+S.+Tashkinov · · Score: 1

      And here's another thought: Google and Mozilla don't spend nearly enough resources to properly verify extensions/addons and since they are so powerful by default (pretty much all extensions/addons for Chrome/Firefox require full access to all websites), all your in-browser data is completely jeopardized and for many people that's all the important data they have: passwords and cloud accounts.

      I don't quite understand how JS in addons/extensions work but I don't think it's such a tall order to limit their ability to download external JS code and disable any uploads which might be used to extend their "features". On the other hand it might not be possible at all, since JS allows to modify itself - I'm not a JS programmer.

    2. Re:And here's another issue by Anonymous Coward · · Score: 0

      That won't save you. I use native code extensions for GPG. Different browser = no problem once native code gets updated.

  12. And Mozilla gave up real extensions for this! by Anonymous Coward · · Score: 1

    Remember how they said that they will become Chrome^W^Wswitch to Chrome-style extensions, precisely so they could prevent things like this from happening?

    I hope the entire idiotic inner-platform effect "web platform" dies a horrible death.
    BTW: Is there a "platform" running ON "HTML5" yet? (Without employing WebAssembly, and risking things being easily compilable for the OS below, of course. And without merely running a virtual machine, like JSLinux.)

  13. Nobody has mentioned THIS? by rudy_wayne · · Score: 2

    Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users.

    So, Goog can remotely access my browser and disbable an extension?

    Sounds like another good reason to tell Goog to fuck off.

    1. Re:Nobody has mentioned THIS? by The+MAZZTer · · Score: 2

      Unfortunately most users have proven to be irresponsible when it comes to keeping their PCs secure. Forced Windows Updates and measures like this are the result.

    2. Re:Nobody has mentioned THIS? by The-Ixian · · Score: 2

      Surprise! You thought you were just installing a browser.... but instead you are installing an application platform and remote telemetry vehicle!

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:Nobody has mentioned THIS? by Anonymous Coward · · Score: 0

      This has been known for years. Maybe you're just out of the loop.

    4. Re:Nobody has mentioned THIS? by viperidaenz · · Score: 1

      Alternatively, they could have yet you run malicious code.

      they also told you they'd do that too, btw

      20. Additional Terms for Extensions for Google Chrome

      20.1 These terms in this section apply if you install extensions on your copy of Google Chrome. Extensions are small software programs, developed by Google or third parties, that can modify and enhance the functionality of Google Chrome. Extensions may have greater privileges to access your browser or your computer than regular webpages, including the ability to read and modify your private data.

      20.2 From time to time, Google Chrome may check with remote servers (hosted by Google or by third parties) for available updates to extensions, including but not limited to bug fixes or enhanced functionality. You agree that such updates will be automatically requested, downloaded, and installed without further notice to you.

      20.3 From time to time, Google may discover an extension that violates Google developer terms or other legal agreements, laws, regulations or policies. Google Chrome will periodically download a list of such extensions from Google’s servers. You agree that Google may remotely disable or remove any such extension from user systems in its sole discretion.

    5. Re:Nobody has mentioned THIS? by Shikaku · · Score: 1

      http://kb.mozillazine.org/Bloc...

      It's not the first nor the last. You can see the list here for Firefox: https://blocked.cdn.mozilla.ne...

    6. Re:Nobody has mentioned THIS? by pD-brane · · Score: 1

      Is sometimes use Chromium, without adding plug-ins/extensions.

      Am I vulnerable through bare Chromium to automated data collection (beyond that my ISP, amongst others, can see what websites I visit when I don't use Tor)?

  14. NSA has the accces required by Anonymous Coward · · Score: 1

    granted by Google, after an appropriate court order was served up. America's government fights for their own corporate, of course, and they want their own Google and Microsoft to have all the customers and a monopoly on these and other internet services.

    Easy access, great opportunity to try to destroy Mega, and get customers. If you have enough customers, you effectively have complete control.

    1. Re:NSA has the accces required by viperidaenz · · Score: 0

      That's why Google removed the extension from their store and disabled it in all browsers?
      Your conspiracy theory makes no sense at all.

  15. Still rockin' IE... by Anonymous Coward · · Score: 1

    ...and I have NO extension...

    1. Re:Still rockin' IE... by johnsie · · Score: 1

      I'm rockin' your IE too... still no security :-)

  16. They didn't get caught by RasmusKallas · · Score: 1

    They reported themselves, at twitter. It's not their fault. It's Google's.