The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet has learned.
The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today.
Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users.
According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform.
The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.
The extension would send all collected data to a server located at megaopac[.]host, hosted in Ukraine.
Chrome users who used the extension should review the Chrome browser's Extensions section and double-check that it's been disabled.
Out of an abundance of caution, all users should reset passwords at the affected services, and move cryptocurrency funds to new accounts safeguarded by new private keys.
Other extensions have been compromised with malicious code in the past two years. In most instances, past hacks happened after attackers phished extension devs and used access to their accounts to push malicious versions of legitimate extensions.
Google and MEGA.nz spokespersons did not respond to requests for comment before this article's publication.
Credit for discovering the malicious code inside the MEGA.nz Chrome extension goes to an Italian developer and contributor to the Monero Project who goes online by the pseudonym of SerHack.
A copy of the MEGA.nz Chrome extension version 3.39.4 --the one containing the malicious code-- is available via this Dropbox account. Security researchers who looked at the MEGA.nz Firefox add-on did not find any malicious code.
UPDATE [September 5, 4:00 AM, ET]: A MEGA.nz spokesperson responded to ZDNet's request for comment, confirming our report. MEGA.nz shared the following new details about the incident.
The malicious v3.39.4 version was uploaded on the Chrome Web Store on September 4, 2018, at 14:30 UTC. MEGA.nz submitted a new, clean version of the extension to the Chrome Web Store, v3.39.5, four hours later. Google's staff removed the extension one hour later and five hours after the initial breach.
"We would like to apologise for this significant incident," a MEGA.nz spokesperson said. "We are currently investigating the exact nature of the compromise of our Chrome webstore account."
In a blog post published after our initial report, MEGA.nz also showed its dissatisfaction with Google's Chrome Web Store security measures, which, they believe, helped attackers pull off the extension hijack.
"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."