Slashdot Mirror

← Back to Stories (view on slashdot.org)

Official Chrome Extension of Cloud Storage Service Mega Caught Stealing Passwords, Cryptocurrency Private Keys (zdnet.com)

Posted by msmash on from the security-woes dept.

The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet reports. From the report: The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform. The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.

12 of 59 comments (clear)

  1. Chrome Extensions = Russian Roulette by bogie · · Score: 2

    Chrome has a terrible record for this. And the worst part is I use Chrome. Have a bunch of extensions I count on daily. I'm guessing the Ublock Origin extension is safe but for my and your other less popular but still super helpful extensions you and I are taking HUGE risks every day by using them.

    Get your shit together Google.

    --
    If you wanna get rich, you know that payback is a bitch
    1. Re:Chrome Extensions = Russian Roulette by Anonymous Coward · · Score: 2, Insightful

      You can't count on Google to patrol everything compatible with them. You should ONLY install extensions from known-good developer shops. The fact that something this widespread was a trojan is BAD NEWS, you're right.

    2. Re:Chrome Extensions = Russian Roulette by Jerry · · Score: 4, Interesting

      moz-extension://a90b9c76-acf4-4c11-9730-76c34d348fef/mega/secure.html#blog_47

      "On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated. ...

      We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

      --

      Running with Linux for over 20 years!

  2. unsigned extensions by ftobin · · Score: 4, Interesting

    I guess Firefox is smart in requiring signed extensions:

    "Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

    1. Re:unsigned extensions by EndlessNameless · · Score: 2

      This is just massively stupid.

      So if Google accepts an illegitimate "official" upload, there is no way to verify. Maybe it wasn't MEGA, maybe someone compromised their account---or maybe the Chrome extension site got hacked (and Google hasn't even noticed yet). Without the developer's signature, there's no way for an outside party to be sure that they submitted an app full of malware.

      Whoever signs the code owns the problem. If Google doesn't want to be held accountable, they shouldn't be signing extensions.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:unsigned extensions by viperidaenz · · Score: 2

      Google signs them to prove the official account uploaded the extension.
      If mega lost control of their account, what makes you think they wouldn't have lost their private signing key if one was required?

  3. And here's another issue by Artem+S.+Tashkinov · · Score: 2

    In Firefox you can disable automatic addons updates and have their new version scanned at least via virustotal which is not a warranty that they are innocuous but at least something. In Chrome extensions updates are fully automatic and if the extension owner has his account hacked (or extensions are sometimes sold) a new version of an extension with new virus "features" might be pushed, "checked" automatically by Google and since their systems often miss malware then you're fucked.

    That's the reason why for banking I have a separate Firefox account with just uBlock Origin and nothing else.

  4. Re:Huh? by GWXerog · · Score: 2

    Kim lost control of Mega several years ago. It's owned by some Chineese company now

  5. Nobody has mentioned THIS? by rudy_wayne · · Score: 2

    Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users.

    So, Goog can remotely access my browser and disbable an extension?

    Sounds like another good reason to tell Goog to fuck off.

    1. Re:Nobody has mentioned THIS? by The+MAZZTer · · Score: 2

      Unfortunately most users have proven to be irresponsible when it comes to keeping their PCs secure. Forced Windows Updates and measures like this are the result.

    2. Re:Nobody has mentioned THIS? by The-Ixian · · Score: 2

      Surprise! You thought you were just installing a browser.... but instead you are installing an application platform and remote telemetry vehicle!

      --
      My eyes reflect the stars and a smile lights up my face.
  6. Re:Huh? by baker_tony · · Score: 3, Interesting

    Interesting:
    "The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud," said Dotcom.
    "He used a number of straw-men and businesses to accumulate more and more Mega shares. Recently his shares have been seized by the NZ government. Which means the NZ government is in control."