The Google Chrome browser extension from the MEGA file storage service has been compromised and replaced with a malicious version that is can steal user credentials to popular websites. The malicious version of the MEGA Chrome extension has been known to leverage login credentials in a way to grant hackers access to popular sites like Amazon, Google, Facebook, Microsoft, Github, and even private keys for cryptocurrency wallets.
As the news broke of the MEGA chrome extension being compromised, computer security experts and researchers took to sites like Twitter and Reddit warning users to avoid the malicious version of the MEGA extension.
The MEGA Chrome extension is claimed to be a secure cloud storage service that offers free space and reduce loading times and overall performance of web page loading. Moreover and potentially ironic, the MEGA Chrome extension is said to strengthen security when browsing the web.
Hackers thrive to steal logins by any means necessary
Unfortunately, we can't be sure that hackers never attack legitimate versions of software applications or extensions that are commonly used with popular web browsers. In the case of the MEGA Chrome extension being exploited in such a way to allow hackers to steal login credentials to many different sites, security experts discovered that such a case could have been easily prevented.
According to a blog post published by MEGA, an unknown attacker was able to hack into their Google Chrome web store account and upload a malicious version of the MEGA Chrome extension. The incident, which took place on September 4th at 14:30 UTC and was first discovered by the researcher SerHack, took place when the MEGA Chrome extension file was weaponized with Trojan horse capabilities that then gave it the ability to ask for elevated permissions to access personal information. From there, the MEGA Chrome extension collected credentials and sent the stolen data to an attacker's server located at the megaopac(.)host site, which is located in Ukraine and used by the attackers to log into victim's accounts.
The MEGA fix is to uninstall the extension
Fortunately, MEGA published their warning of the extension exploit only affecting users who installed the Chrome extension at the time of the incident or those who had autoupdate enabled and accepted the additional permissions. Many users may have had an autoupdate forced from hackers, which could have loaded the malware-laced version of the extension. The malicious version of the MEGA Chrome extension is version 3.39.4, which was taken down after being active for about five hours.
The number of users impacted by the malicious version of the MEGA Chrome extension is unknown at this time. Firefox users should not be concerned as the hack was limited to Chrome browser users who obtained the MEGA Chrome extension version 3.39.4.
Currently, MEGA and computer security experts are urging users of the MEGA Chrome extension to verify the version they are utilizing to ensure it is not version 3.39.4. If they find that they are using the malicious 3.39.4 version, they should immediately uninstall the extension and change the passwords for all their accounts accessed using the Chrome web browser. Because the trojanized version of the MEGA Chrome extension sends plain text credentials through POST requests, users should consider that their credentials were compromised and act to change their logins immediately.