Home / Archive / Hacked MEGA Chrome Extension was Used to Steal Cryptocurrency

Hacked MEGA Chrome Extension was Used to Steal Cryptocurrency

Last Updated March 4, 2021 3:37 PM
David Hundeyin
Last Updated March 4, 2021 3:37 PM

The Google Chrome extension for the popular file upload and sharing service MEGA has been compromised by hackers looking to steal login credentials and cryptocurrency keys, according to information from security researchers.

The service, which was launched by Kim Dotcom in 2013 after the demise of MegaUpload, has had its Chrome extension removed from the Chrome Web Store presently.

SerHack  was the first researcher to sound the alarm, warning in a tweet  on September 4 that version 3.39.4 of the extension was hacked, and potentially harvesting user information including usernames and passwords from a number of platforms including Amazon, Github, Google and Microsoft.

Stealing Login Information

The compromised MEGA extension actively monitors user information stored in the browser, looking out for URL strings that indicate registration or login forms. The data on such forms is then sent to an unidentified host in Ukraine called https://www.megaopac.host/.

The malicious code also monitors for specific URLs such as “https://www.myetherwallet.com/*”, “https://mymonero.com/*”, and “https://idex.market/*”. If saved information is detected, it then executes a javascript function that attempts to steal private crypto keys from logged in users.

Confirming the hack, MEGA released a statement that reads in part:

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”

Google to Blame?

In the statement released yesterday, MEGA blamed Google for removing their ability to sign extensions, making it easier for such incidents to take place.

An excerpt from the statement reads:

“We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

Security researchers examining MEGA’s Firefox extension have seen no evidence of tampering, which would appear to support the claims in MEGA’s statement.

Speaking to Bleeping Computer , SerHack who initially discovered the hack advised all Chrome MEGA users to uninstall the extension immediately. He also said that such users should immediately change all their passwords on any account they may have used on the browser, especially accounts relating to financial or government information.

CCN.com earlier reported that cybercriminals are continuously developing new ways to illegally acquire cryptocurrency, moving from cryptojacking to sim swapping amongst other tactics.

Featured image from Shutterstock.