





117

1



286 Shares

Cryptocurrencies are gaining significant attention from criminal hackers as a quick way to steal more money. In a single attempt and without much effort, they can pilfer cryptocurrencies worth millions of dollars. With that in mind, once again, some attackers attempted to steal digital assets by hacking the MEGA Chrome Extension. The hack reportedly affected 1.6 million users.

Hackers Stole Cryptocurrencies And User Credentials Through the MEGA Chrome Extension

On September 4, 2018, a group managed to hack the MEGA Chrome Extension to reach its user base. Allegedly, they accessed MEGA’s Chrome Store Profile and uploaded a malicious version of the tool, i.e., version 3.39.4. As it seemed legit, the users would simply install it, approving all the permissions asked. Thus, the hackers could steal users’ crypto assets by accessing their login credentials and private keys.

A researcher named SerHack first alerted users via a tweet mentioning the hacked extension. He noticed that the tool potentially harvested user credentials from various platforms, including Microsoft, Github, Google, and Amazon.

!!! WARNING !!!!!!! PLEASE PAY ATTENTION!! LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED. Version: 3.39.4 It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz — SerHack (@serhack_) September 4, 2018

He shared various screenshots in his tweets to prove his discovery. Later, he posted a detailed timeline of the events on his blog, which indicated that the news first broke on Reddit about the malicious MEGA Extension on Chrome. It also mentioned all other instances where various researchers shared their work regarding the attack.

The malicious extension came to be noticed when it asked for “elevated permissions” unlike the genuine MEGA Extension. After harvesting the data, the tool sent the user information to a local server at megaopac[.]host in Ukraine. After the breach was confirmed, NameCheap blocked the megaopac[.]host domain.

While MEGA did not state any specific number of affected users, SerHack told Bleeping Computer that the hack affected over 1.6 million users.

MEGA Confirmed The Hack – Google Removed The Extension

After the news surfaced online, MEGA confirmed the presence of a “trojaned” version of MEGA extension on the Chrome Store. The tool asked for excessive permissions, and could “exfiltrate credentials” for various sites including crypto wallets, such as MyEtherWallet and My Monero, as well as the decentralized exchange IDEX. From this information, the attackers could sign in the users’ accounts, extract their private keys and steal the users’ crypto assets.

They publicly disclosed about it in their blog and confirmed that version 3.39.5 is the genuine version to replace the hacked one. Google also removed the malicious tool five hours after the incident.

MEGA confirmed that the breach affected only the users of version 3.39.4. As stated in their blog,

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

MEGA Firefox Extension Remained Safe

As confirmed by MEGA as well as the researchers, the hack only affected MEGA’s Chrome Extension. Their Firefox Extension remained safe. MEGA mentioned about it in their blog and blamed Google’s policies for apps in the Chrome Store.

“We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

Users with MEGA Chrome Extension version 3.39.4 should quickly get rid of this malicious tool by upgrading to the 3.39.5. Moreover, they should also closely monitor their crypto assets and change their login credentials and private keys to mitigate the effect.

Take your time to comment on this article.