Cyber-criminals exploited the MEGA Chrome extension to steal cryptocurrency and user credentials affecting 1.6 million users.
The incident was first discovered by the independent researcher and Monero Project Contributor SerHack who promptly tweeted a warning that the 3.39.4 version of the MEGA Chrome extension had been compromised.
"On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore," MEGA said in a 4 September security warning.
"Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine."
Once installed, the malicious extension will request permission to access personal information, allowing it to steal login/register credentials from sites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet, MyMonero, and Idex.market cryptocurrency trading platform, SerHack said in a blog post.
The compromised extension would also monitor monitor any form submission where the URL contains the strings Register or Login or variables exist that are named "username", "email", "user", "login", "usr", "pass", "passwd", or "password".
"The Mega extension then sent all the stolen information back to an attacker’s server located at megaopac[.]host in Ukraine, which is then used by the attackers to log in to the victims’ accounts, and also extract the cryptocurrency private keys to steal users’ digital currencies," SerHack added.
MEGA said it uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible, but added Google decided to disallow publisher signatures on Chrome extensions and is instead relying solely on signing them automatically after upload to the Chrome the , which removes an important barrier to external compromise.
"MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector," MEGA said in its advisory. "While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."
Matan Galkochavi, director of product management at Arxan said it’s important to keep in mind that even if firm’s like Google can’t stop every malicious extension from infecting people, developers can make sure it’s not impacting their users.
"Even if you can’t stop every malicious extension from infecting people, you can make sure it’s not impacting your users," Galkochavi said. "A browser vendor’s (Google in this case) ability to detect malicious extensions is limited, partially because they don’t know every individual web application."
Galkochavi added that something that may be legitimate on one website may be malicious in another and that no one knows the security risks of a web app better than the developer’s own team. Visibility into what extensions are doing when a user is using an app can allow developers to determine what’s legitimate and what isn’t.