MEGA Chrome’s trojaned extension was updated with a cleaner version 3.39.5 after an unknown attacker uploaded the trojaned version to the web store of Google Chrome on 4th of September. Upon autoupdate or installation, the Chrome extension would ask for elevated permissions that originally are not required by the real extension. In case permission was granted it exfiltrated credentials of websites such as live.com, amazon.com, github.com and google.com, mymonero.com, myetherwallet.com, idex.market and HTTP Post requests to other sites’ server which was located in Ukraine.
Four hours after this breach occurred, MEGA took an immediate action and updated the trojaned extension with a cleaner version 3.39.5, thereby autoupdating the installations that were affected. Due to this breach, Google removed this extension from the web store of Chrome after five hours.
The relevant blog by MEGA stated the reason for this security breach and somewhat placed the blame on Google, “Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”
According to the blog, only those users were affected by this breach who had MEGA Chrome extension installed in their computer at the time of this incident, autoupdate was enabled and additional permission was accepted. Also, if version 3.39.4 was freshly installed, the trojaned Extension would impact the users. Another important note for the users was provided by the MEGA team, “Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
However, the users who are accessing https://mega.nz without Chrome extension will not be impacted.
In the final part of their blog, Mega developers apologized for the inconvenience caused to the users due to this particular incident. They claimed that wherever possible, MEGA used strict procedures of release with a multi-party code review, cryptographic signatures and robust build workflow. MEGA also stated that it is actively investigating the nature of the attack and how the perpetrator gained access to Chrome Web Store account.