Hackers Breach MEGA Chrome Extension To Steal Crypto Private Keys

[ItsMitch]

S: zdnet

 

Mega.nz chrome extension has been caught by some security experts stealing passwords from GitHub, Google, Microsoft, Amazon and a plethora of Monero websites. The user data was sent off to a website created via NameCheap Inc (not a shocker tbh) and it was left live on the Google Store for several hours. How did this happen exactly? Well there's a few explanations, Mega.nz blame Google for their lacking security measures and the fact they disallow publisher signatures. 

 

How? 

A malicious update was pushed via the Google Store around September 4th 13:40 UTC which was tilted v3.39.4 which contained the password logger and it stole all browsing data along with it. 

Mega.nz located the breach 4 hours later and issued a clean update to remove the malware, however, Google staff stripped the application from its store after reports broke of a breach of user data. 

 

Mega.nz response

Quote

"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

Mega also confirmed they're investigating how exactly their account was breached and how this happened in the first place. 

 

I'm fairly disappointed in this, I've been a lifelong user of Mega.nz and I guess I'll be moving on from them, thankfully Dashlane saved my ass w/ new passwords. 

[Drak3]

In short, fuck Google for disregarding security.

[JoostinOnline]

2 minutes ago, SC2Mitch said:

I've been a lifelong user of Mega.nz

So you're a toddler?

[ItsMitch]

Just now, JoostinOnline said:

So you're a toddler?

yes, my mum calls me special, PROBLEM MISTER?_?

[Calt]

3 minutes ago, Drak3 said:

In short, fuck Google.

[PokiDaSpitz]

16 minutes ago, SC2Mitch said:

yes, my mum calls me special, PROBLEM MISTER?_?

HAHAHHAAHHA, my mommy say i am special. :3 

[cj09beira]

1 hour ago, SC2Mitch said:

 

 

I'm fairly disappointed in this, I've been a lifelong user of Mega.nz and I guess I'll be moving on from them, thankfully Dashlane saved my ass w/ new passwords. 

wait how is this their fault ??, hackers got a hold of their account somehow and published a malicious update and they figured it out in 4 hours, i would say thats a pretty good response time

[mynameisjuan]

1 hour ago, Drak3 said:

In short, fuck Google for disregarding security.

It was caught in 4 fucking hours. Not like this was months on end. 

[Drak3]

1 minute ago, cj09beira said:

wait how is this their fault ??, hackers got a hold of their account somehow and published a malicious update and they figured it out in 4 hours, i would say thats a pretty good response time

Not only that, the malicious update could only be pushed to Chrome due to how Chrome handles update signatures.

[ItsMitch]

2 minutes ago, cj09beira said:

wait how is this their fault ??, hackers got a hold of their account somehow and published a malicious update and they figured it out in 4 hours, i would say thats a pretty good response time

If Google put in the right measures in the first place this never would of happened in the first place. 

 

1 hour ago, SC2Mitch said:

Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise

 

[Drak3]

2 minutes ago, mynameisjuan said:

It was caught in 4 fucking hours. Not like this was months on end. 

It didn't and couldn't happen on other browsers. Also, Mega caught it, not Google.

[cj09beira]

1 minute ago, SC2Mitch said:

If Google put in the right measures in the first place this never would of happened in the first place. 

 

 

and because of it you will be moving away from mega? or is it just the extension 

[D13H4RD]

Meanwhile, I’m on Firefox

[ItsMitch]

Just now, huilun02 said:

Article title misleads viewers into thinking Mega had malicious intent

 

im sorry i've become linus tech tips, ill fix this when im awake 

[ItsMitch]

Just now, huilun02 said:

Not you, your source article title

i got chu, fixed

 

[ScratchCat]

Internet Explorer master race /s

[suicidalfranco]

and that's why i prefer to wait mega 3.0

[MMKing]

1 hour ago, mynameisjuan said:

It was caught in 4 fucking hours. Not like this was months on end. 

4 hours access to my more secure accounts could easily leave me in a hole it would take me months to get out of.

[Guest]

Just use dropbox or Google Docs? I don't think anyone bothers with MEGA - or chrome extensions anymore.

[wasab]

Hahaha so glad I'm on Linux things like this would've ne-..... Wait. I use both chromium and mega. Damn.... Well, at least I disable all the extensions. 

[geo3]

WTF is Mega?

[Drak3]

1 minute ago, geo3 said:

WTF is Mega?

Make England Grand Again.

[ItsMitch]

4 hours ago, geo3 said:

WTF is Mega?

Mega (stylized in uppercase as MEGA) is a cloud storage and file hosting service offered by Mega Limited, a New Zealand-based company. The service is offered primarily through web-based apps. Mega mobile appsare also available for Windows Phone, Android and iOS.

Mega is known for its security feature where all files are end-to-end encrypted locally before they are uploaded. This prevents anyone (including employees of Mega Limited) from accessing the files without knowledge of the pass key used for encryption.[3] The service was previously noted for a large 50 GB storage allocation for free accounts.[4] However, this was reduced to 15 GB, with additional amounts offered only on an expiring trial basis.[5] Up to 8 TB is available for paid accounts.[6] As of January 20, 2018, Mega has 100 million registered users in more than 245 countries and territories, and more than 40 billion files have been uploaded to the service.[7]

The website and service was launched on January 19, 2013, by Kim Dotcom, who had founded the now-defunct service Megaupload. However, in 2015 Kim Dotcom disassociated himself from the service and stated that the New Zealand government had seized the shares of a Chinese investor and has control of the site. Mega Limited responded that the authorities have not interfered with its operations.

stolen from wikipedia