Cloud storage and file hosting service provider Mega Limited has taken its blog to advise users that the MEGA Chrome extension was replaced with a credential-stealing trojan over the course of several hours this week. The infected software effectively replaced the official extension in the Chrome Web Store and was installed either manually or through an auto-update. Once installed, the malware – listed as version 3.39.4 – first asked users for ‘Read and change all data’ permissions and then proceeded to steal data from those websites. Some of that data included credentials for major sites like Amazon, GitHub, Google, and Microsoft’s Live. However, it also took credentials tied with service sites associated with cryptocurrencies such as MyEtherWallet and MyMonero, in addition to HTTP POST requests – which are linked to with web forms. MEGA credentials were not stolen unless users signed into the site while the extension was installed but all of the data that was is noted as having been moved to a server in Ukraine.
The exact details for how MEGA’s Chrome Web Store account became compromised and the number of users affected by the attack have not been provided, as of this writing. The company does say that only users who downloaded version 3.39.4, allowed permissions, and signed into websites or conducted similar activity were impacted. Moreover, the offending update was only on the store site for approximately 4-hours, although that doesn’t necessarily solve the problem caused by auto-updates. Another update to version 3.39.5 was pushed in that same timeframe and would have arrived via manual or automatic installation. Subsequent updates should be secure as well. Within an additional hour, Google was informed and had removed the version from the Chrome Web Store entirely, preventing the trojan from afflicting further devices with Chrome and the extension installed. An investigation into the attack is ongoing, in the meantime.
This is hardly the first time a Chrome extension has been impacted by a credential-stealing cyber attack but that doesn’t necessarily take away from the severity of the situation. Those who think they may have been affected, which could likely be applied to a substantial number of users of the MEGA extension if not all, will want to take steps to ensure that their online accounts are secure. As noted by Mega, that means actions such as changing passwords and setting up two-factor authentication where available and not already enabled.