Compromised Chrome Extension Snooped on Users’ Credentials, Cryptocurrency Private Keys

Someone compromised a Google Chrome extension with malicious code designed to snoop on users’ account credentials and cryptocurrency private keys.

On 4 September, a security researcher who goes by the name “SerHack” tweeted out a warning about version 3.39.4 of the Chrome extension for MEGA.nz, a cloud storage and file sharing service.

!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!

LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.

Version: 3.39.4

It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz

— SerHack (@serhack_) September 4, 2018

The compromised Chrome extension was capable of monitoring for login form submissions to Amazon, GitHub, Google and Microsoft. As analyzed by Bleeping Computer, it also had the ability to inspect a form submission URL for variables like “username” and “password.” Additionally, the extension monitored for three URL patterns–“https://www.myetherwallet.com/*,” “https://mymonero.com/*,” and “https://idex.market/*”–for the purpose of stealing a user’s cryptocurrency private keys.

This data tracking culminated in the extension sending out any variables and credentials it found to a host based in Ukraine.

Security researchers examined the Firefox version of MEGA.nz and determined that it was clean of malicious behavior.

According to a MEGA.nz blog post, the company’s admins uploaded a clean version of the Chrome extension (3.39.5) four hours after a bad actor uploaded the compromised version. Just an hour after that fix, Google removed the updated extension from its Chrome store.

The MEGA.nz team went on to express regret for the event but not without placing some of the blame on Google for its Chrome extension signing policies:

We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow (Read more...)