Mega.nz Chrome extension hijacked to steal usernames, passwords and cryptocurrency private keys

• The malicious extension was capable of stealing login credentials for websites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero wallet services, and others.
• Google's team has since removed the hijacked extension from the official Chrome Web Store.
  

The official Mega.nz Chrome extension has been compromised to steal login credentials and private cryptocurrency keys, security researchers have discovered. Italian security researcher and contributor to the Monero project SerHack first spotted the MEGA Chrome extension's malicious behavior and took to Twitter to warn users that the 3.39.4 version of extension had been hacked.

Once installed, the extension was capable of monitoring for specific login submissions on multiple websites including Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero wallet services and the cryptocurrency trading platform IDEX. The extension could record usernames, passwords and other session data required for the attackers to log into victims' accounts. In cases where cryptocurrency was involved, it could also steal privacy keys to access users' funds.

The collected data would then be relayed to a server hosted in Ukraine.

The malicious v3.39.4 version of the extension was reportedly uploaded on the Chrome Web Store on September 4 at 2:30PM UTC.

Google's team has since removed the extension from the official Chrome Web Store and disabled the extension for existing users. However, users have been advised to review the Chrome browser's Extensions section and make sure it has been disabled.

SerHack said over 1.6 million users were likely affected, Bleeping Computer reports. The Firefox version of the extension was not affected in the incident.

Mega.nz has acknowledged the attack and said a clean version of the extension - v3.39.5 - was submitted to the Chrome Web Store four hours after the breach.

"We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible," Mega.nz said in a statement. They also noted that Google's decision to disallow publisher signatures on Chrome extensions made it easier for the attackers carry out the extension hijack and upload a malicious version to the official Chrome Web Store.

"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise," the blog post reads.

"MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well. We are currently investigating the exact nature of the compromise of our Chrome webstore account."