Hacked MEGA Chrome Extension was Used to Steal Cryptocurrency
The Google Chrome extension for the popular file upload and sharing service MEGA has been compromised by hackers looking to steal login credentials and cryptocurrency keys, according to information from security researchers.
The service, which was launched by Kim Dotcom in 2013 after the demise of MegaUpload, has had its Chrome extension removed from the Chrome Web Store presently.
SerHack was the first researcher to sound the alarm, warning in a tweet on September 4 that version 3.39.4 of the extension was hacked, and potentially harvesting user information including usernames and passwords from a number of platforms including Amazon, Github, Google and Microsoft.
The compromised MEGA extension actively monitors user information stored in the browser, looking out for URL strings that indicate registration or login forms. The data on such forms is then sent to an unidentified host in
Ukraine called https://www.megaopac.host/.
crypto keys from logged in users.
Confirming the hack, MEGA released a statement that reads in part:
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”