Ethereum and Monero Wallets Targeted in Malicious MEGA.nz Chrome Extension Update
A new update for the MEGA.nz Google Chrome extension was recent released containing malicious code that could compromise cryptocurrency wallets and user accounts for popular shopping sites like Amazon.
Google engineers have had to remove a Chrome extension to the popular file-sharing service MEGA.nz that could have stolen Ethereum and Monero accounts private keys.
The extension, released yesterday as version 3.39.4, apparently contained malicious code that had the capacity to steal usernames, passwords, and even private keys for popular cryptocurrencies Ethereum and Monero, ZDNet reports.
The Chrome extension update showed malicious behavior just hours after release. An analysis of its source code revealed that it captured the usernames and passwords on popular websites including Google, Amazon, Microsoft, and GitHub.
In addition, the compromised extension was capable of detecting and capturing private key information for web-based wallets MyEtherWallet and MyMonero.
The attack was capable of extracting the keys and would then be able to access user funds on these sites. It also affected IDEX, a cryptocurrency exchange, and trading platform.
MEGA.nz extended their apologies to its users, saying that investigations were ongoing to establish exactly how the breach ended up compromising their account.
“We are currently investigating the exact nature of the compromise of our Chrome webstore account.”
The platform has also indicated that it is dissatisfied with Chrome Web Store’s approach to the issue of security. In a blog post, MEGA.nz says that Chrome’s approach contributed directly to the extension hijack.
It states that it was wrong for Google to remove the need for publisher signatures on its Chrome extensions. It has meant that the internet giant relied on automatic signatures after the code has already been uploaded to the Chrome web store.
“[Disallowing publisher signatures] removes an important barrier to external compromise.”
The company has also said that MEGAsync and its Firefox extension did not suffer the vector attack because they (MEGA.nz) signs and hosts the extension source code. The Firefox version is still available online, however, the Chrome extension has been taken down.
The firm’s mobile apps, hosted by Apple, Google, and Microsoft, are cryptographically signed to make them immune to such attacks.
Although Google engineers have since intervened and replaced the extension users still need to check their browsers and ensure the extension isn’t installed anymore.
Users are recommended to reset their passwords on the affected sites like Amazon and Microsoft. Cryptocurrency holders at MyEtherWallet and MyMonero should also open new accounts and move their digital assets to protect their new private keys.
According to ZDNet, someone uploaded the malicious code (trojaned) into v3.39.4 on the Chrome Web Store on September 4, 2018, at 14:30 UTC. After updating, the code asked for elevated permissions that allowed it to read and change all credentials.
Four hours elapsed before MEGA.nz submitted v3.39.5, a new unaffected extension to Chrome Web Store. Google’s engineers eventually removed the affected extension after an hour, meaning the breach lasted five hours, possibly inflicting a lot of damage.
MEGA.nz offers users access to cloud storage that uses end-to-end encryption, giving the user full control over access to their data. The platform has over 120 million registered users and has so far stored over 48 billion files
The breach on MEGA.nz Chrome extension highlights the tough task facing Google and other internet security providers.
However, individual users carry the greatest responsibility for themselves, especially knowing their risk profile and, therefore, be on top of what they put online.