Hijacked Mega Extension for Chrome temporarily intercepted logins from popular sites

Spread the love

The Chrome extension for the Mega storage service was temporarily taken over by attackers, who uploaded a modified version in the Chrome Store. Mega warns about that. The extension intercepted logins for popular services, such as GitHub and Amazon.

In its own warning, Mega reports that on September 4, an unknown party put a trojanized version of the extension on the Chrome Store by taking over the company’s Store account. That version was numbered 3.39.4 and asked for permission to read all data on visited sites. According to the company, it replaced this malicious version “within hours” with a patched version numbered 3.39.5. It warns that the malicious extension intercepted logins on github.com, amazon.com, live.com, google.com, myetherwallet.com, mymonero.com, and idex.market. The software also intercepted HTTP POST requests on other sites and forwarded the captured data to a server in Ukraine.

Google has since removed the extension from the Chrome Store. Mega warns that people who had auto-update enabled and approved the new permissions, or people who installed the malicious version directly, should assume that logins to sites visited during the time the extension was active should be considered compromised. It is therefore advisable to check which sites these are and to change the passwords. In the case of non-unique passwords, it is also wise to change these on the other sites. On the cryptocurrency sites, it may be wise to transfer funds to another account. The malicious extension was also out on private keys.

According to Mega, the Firefox extension is not affected, the same would be true for MegaSync and the mega.nz site. Security Investigator SerHack warned Tuesday night that the extension was acquired and published images of the malicious code. It is not the first time that an acquired account has been used to distribute a malicious version of a browser extension. That happened last year, for example, with the Web Developer extension and recently with Hola VPN.

Mega was founded in 2013 by Kim DotCom as the successor to file locker service Megaupload. In 2015, he severed his ties with Mega and stated in an interview with Slashdot that users’ data is no longer safe with that service. Mega contradicted this.

Pictures through SerHack

You might also like