MEGA File-Sharing Service’s Chrome Extension Hacked, Cryptocurrency Accounts Compromised

September 6, 2018 6:52 PM

MEGA, a New Zealand-based cloud storage and file hosting service, recently issued a security warning regarding a “trojaned” version of its extension that an unknown attacker uploaded to the Chrome Web Store. The malicious update, version 3.39.4, asked for permission to read and change data on websites that users visited. The MEGA team noted that affected sites included amazon.com, github.com, google.com, myetherwallet.com, and mymonero.com, among others.

Four hours after the security breach, MEGA updated the malicious version with a “clean” one (3.39.5). An hour after that, Google removed the extension from the Chrome Web Store. As of press, 3.40.2 is available for download.

Individuals were only affected by the hack if they had the MEGA Chrome extension installed when the attack occurred and had the auto-update feature enabled and accepted the additional permission request (or if they downloaded 3.39.4 directly from the web store). The MEGA crew further told users that if they visited any site during the attack, then they should “consider that [their] credentials were compromised on these sites and/or applications.”

Although the hack affected various data and information across multiple websites, the attack specifically exposed users’ cryptocurrency accounts associated with the extension. Both MyEtherWallet and Monero, for instance, warned their users about the compromise over Twitter:

Some MyEtherWallet users were also affected in July when the Hola Chrome extension was hacked.

The MEGA crew believes the recent incident is related to a change on Google’s end that disallows publisher signatures on Chrome extensions. Apparently, Google “is now relying solely on signing [extensions] automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.” The team indicated that its Firefox extension would not have been able to experience this type of attack.

MEGA is looking into the nature of the hack.

Daniel Putney is a full-time writer for ETHNews. He received his bachelor’s degree in English writing from the University of Nevada, Reno, where he also studied journalism and queer theory. In his free time, he writes poetry, plays the piano, and fangirls over fictional characters. He lives with his partner, three dogs, and two cats in the middle of nowhere, Nevada.

Like what you read? Follow us on X @Bitnewsbot to receive the latest hack, MEGA or other Ethereum technology news.