MEGA.nz Chrome Extension Compromised: Stole Passwords and Cryptocurrency Keys

The tech publication ZDNet has issued a warning about the official MEGA.nz extension for Chrome being compromised. On September 4, 2018, the extension was updated to version 3.39.4, after which it began stealing login credentials for Amazon, Google, Microsoft, GitHub accounts, as well as data from cryptocurrency wallets such as MyEtherWallet, MyMonero, and the IDEX platform.

The malicious code added to the extension collected usernames, passwords, and other session data needed by attackers to access victims’ accounts. If cryptocurrency operations were involved, it also stole private keys. All collected data was sent to a Ukrainian server located at megaopac[.]host.

The issue was first discovered by an Italian developer from the Monero Project, known online as SerHack. Google engineers have since removed the extension from the Chrome Web Store and disabled it for existing users.

The exact method of compromise is still unclear, but reports indicate that the Firefox version of the MEGA.nz extension was not affected. It is possible that attackers managed to compromise one of the extension’s developers and used their access to inject the malicious code. This method has been used before in attacks on Hola VPN and nearly a dozen other popular extensions last year.