Starting with a Reddit thread - just about two hours ago at the moment of writing this - on the /r/Monero subreddit, the MEGA.nz Chrome Browser Extension has been identified as backdoored in the newest version 3.39.4. It is stealing credentials for several services like GitHub and Google, which will be sent to an external website. Note: This story will be updated to keep you up to date.

Discovery

Reddit user gattacus updated the MEGA.nz extension in his browser, when the extension asked for additional permissions, which made him analyzing the changes in the source code. What he found was a backdoor trying to steal users Monero. The fact that there was no recent commit on the public Git repository on GitHub could mean that MEGAs account on the Google Webstore for Chrome has been hacked or an authorized user (i.e. an insider) pushed the backdoored version to the store.

Affected Services

Shortly after, other researchers like SerHack started investigating this incident, which revealed several other services being affected by this backdoor.


Currently known credentials being snatched:

  • Amazon
  • GitHub
  • Google
  • Microsoft
  • MyMonero
  • MyEtherWallet
  • Aurora

The extension is not only going for login data, but for wallet private keys.

If you are using the Firefox extension, you are currently not affected by this, as you are still on version 3.39.3.

The Attack Server

Collected credentials will be sent to megaopac.host, which has been registered via Namecheap on the 31.08.2018. The JavaScript code is posting a request via XHR to the webserver. Parameter d probably contains an internal ID, where 3 stands for GitHub and so on. The p1 parameter contains the username and p2 holds the login password.

Takeaway

This incident serves to highlight the risk that third party plugins pose to a robust security posture. It is not yet known if MEGA have been compromised, or if rogue internal elements are behind this backdoor.  A lesson everyone can learn from this is thinking twice about the permissions we grant an extension or anything related. They often ask for way more than they actually need. Also - even though it remains unclear how the attacker backdoored the release - employees should be trained for company login best practices and shown how to identify phishing.


At the time of writing this, this is everything that has been revealed. There has been no public statement from Mega yet. Shoutout for the great work by the researchers involved, which were also mentioned above.

UPDATE 04.09.2018 19:32 GMT

The browser extension has been removed from the Google Webstore.

Update 05.09.2018 15:55 GMT

MEGA released a statement on their blog. They confirmed the information released by researchers and are actively investigating the compromise of their Google Webstore account. Additionally, they gave an insight into why the attacker was able to push code as an release on the store. Google started to disallow publisher signatures, which was an important countermeasure to make sure the code is in fact coming from an authorized party.

The awesome imagery used in this article is called "Alley Sounds" and was designed by Joe Mortell.