Another Chrome Extension has come under attack this week. Mega Cloud Storage service based in New Zealand announced Tuesday in a blog post that their Chrome Web Store account had been compromised and the attacker was able to upload a corrupted version of the Mega Chrome extension.
Unfortunately, Chrome extensions generally update automatically in the background and for roughly four hours, the malicious extension was live in the Web Store.
Upon installation or auto update, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.
The alarms began to sound when a Redditor took to the web to warn the crypto community that passwords and encrypted keys for a number of Cryptocurrency wallets as well as the Ethereum exchange IDEX.
PSA: The official MEGA extension has been compromised and now includes functionality to steal your Monero: https://t.co/vzWwcM9E5k
— Monero || #xmr (@monero) September 4, 2018
If you aren’t familiar with Mega, they were rebirthed from the failed Hong Kong-based Megaupload file storage service. After being shut down in 2012 for piracy, the companies founder launched Mega as a cloud storage and file sharing platform with the motto “The Privacy Company.” This breach is a low blow to the company that is reported to have 100 million-plus users around the globe.
Mega was quick to make the attack public once it was identified and quickly uploaded a clean version of the extension to the Chrome Web Store. The company also pointed out that other Mega products including the Firefox extension were unaffected and that the vulnerability of the Chrome extension was due the manner in which the package file signatures are assigned
MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.
This is just another in a long line of security holes in the Chrome Web Store over the past few years. Google has recently given the Store a facelift and it is our hope and even plea that as it continues to evolve, the folks at Mountain View will give the protocol for publishing Chrome apps and extensions will be given a revamp.
If you are a Mega user, your extension should have updated automatically to the secure, clean version. To be safe, head to chrome://extensions and ensure you have version 3.39.5 of the Mega extension or you can download it from the Chrome Web Store here.
