A Chrome browser extension used in conjunction with MEGA, a popular file-sharing platform, was recently hacked and used to steal private keys, usernames and passwords from users, allowing hackers to steal Ethereum, Monero and more.
At approximately 11:30 EST last Tuesday, a Reddit user (gattacus) posted an alert within the Monero subreddit, cautioning users to avoid using v3.39.4 of the MEGA extension for Chrome because of fears it may have been hacked.
Gattacus explained that there had been a recent update to the extension which had asked them for new permission to “read data on all websites”. This aroused suspicion, causing the user to check the extension code.
The malware works by obtaining the necessary permissions during installation. Whenever the user then logged into any of a number of pre-determined sites, the malware would trigger. Analysis of the hacked code revealed that the following sites were being targeted:
Once triggered, the code would collect user information which included passwords, usernames, private keys, email addresses and other session data. This information was then sent to a server thought to be in the Ukraine.
Despite the Chrome issue being a major concern, it should be pointed out that neither the Firefox MEGA extension nor the actual MEGA website itself have been affected by the hack.
Credit for discovering the issue is attributed to an Italian developer and contributor to Monero, who posts under the pseudonym SerHack.
A company spokesperson for MEGA acknowledged that the hack had happened and noted that it had updated the infected extension with a clean version (v3.39.5) and auto-updated any affected installations.
Meanwhile, Google removed the MEGA extension from its webstore and disabled it for existing users. At the time of going to press, clicking on a link for the extension currently brings up a ‘404: Page Not Found’ error.