Official Chrome Extension of Cloud Storage Service Mega Caught Stealing Passwords, Cryptocurrency Private Keys (zdnet.com) 59
The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet reports. From the report: The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform. The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.
Malicious Code (Score:2)
Re: (Score:1)
So who put that code in the source?
The 'source', of course. Yeah, I'll show myself the door now.
Re: (Score:2)
I don't understand. Why do I need an extension? I can access Mega with my browser just fine without any extensions. What sort of fucktardedness is this?
Re: (Score:2)
They didn't steal my (Score:1)
...Frosty piss
Chrome Extensions = Russian Roulette (Score:3)
Chrome has a terrible record for this. And the worst part is I use Chrome. Have a bunch of extensions I count on daily. I'm guessing the Ublock Origin extension is safe but for my and your other less popular but still super helpful extensions you and I are taking HUGE risks every day by using them.
Get your shit together Google.
Re: (Score:2, Insightful)
You can't count on Google to patrol everything compatible with them. You should ONLY install extensions from known-good developer shops. The fact that something this widespread was a trojan is BAD NEWS, you're right.
Re:Chrome Extensions = Russian Roulette (Score:5, Interesting)
moz-extension://a90b9c76-acf4-4c11-9730-76c34d348fef/mega/secure.html#blog_47
"On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated. ...
We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."
Re: (Score:2)
And Mozilla gave up real extensions for this! (Score:1)
Remember how they said that they will become Chrome^W^Wswitch to Chrome-style extensions, precisely so they could prevent things like this from happening?
I hope the entire idiotic inner-platform effect "web platform" dies a horrible death.
BTW: Is there a "platform" running ON "HTML5" yet? (Without employing WebAssembly, and risking things being easily compilable for the OS below, of course. And without merely running a virtual machine, like JSLinux.)
Re: (Score:2)
WTF. Google recommended people use this extension?! The article left that out.
If you want someone else to adjudicate what software is good/bad for you, perhaps you might be happier with an iPad or XBox or PlayStation.
This (Score:2, Insightful)
This kind of crap is why I never install any extensions.
Re: (Score:1)
Really? Because without certain kinds of extensions/add-ons, the web is really pretty much unusable.
Right now in my Chrome, I have 4 different privacy plugins to block the living shit out of the ad companies, trackers, and other parasites.
I can mark sites as not being able to set cookies, run scripts, and in some cases, not be contacted at all (Facebook, Twitter, etc).
I wouldn't use the internet if I didn't have plugins to block all of this shit.
This
Re: (Score:2)
You don't need any plugins at all to do all that. I browse the web with no plugins at all.
Get you a pihole (https://pi-hole.net/), and do that at the dns level.
Re: (Score:1)
Don't worry, Firefox is getting around that with DNS over HTTPS, to satisfy the advertisers who financially back the Mozilla Foundation.
Skim (Score:1)
Did he change his name to Skim Dotcom now?
Huh? (Score:2)
I thought Kimmie doesn't own Mega anymore?
Looks like someone wants to let the legacy live on...
Re: (Score:2)
Mega is his new site.
MegaUpload is the one that was taken down.
Re: (Score:3)
Re:Huh? (Score:4, Interesting)
Interesting:
"The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud," said Dotcom.
"He used a number of straw-men and businesses to accumulate more and more Mega shares. Recently his shares have been seized by the NZ government. Which means the NZ government is in control."
Re: (Score:2)
Re: (Score:2)
I thought Kimmie doesn't own Mega anymore?
Correct, the New Zealand government seized it back in 2015 and are the current owners.
It's day to day operations are performed by a Chinese investor.
It was on Slashdot
https://yro.slashdot.org/story/15/07/27/200204/interviews-kim-dotcom-answers-your-questions [slashdot.org]
Dotcom: I'm not involved in Mega anymore. Neither in a managing nor in a shareholder capacity. The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud. He used a number of straw-men and businesses to accum
unsigned extensions (Score:5, Interesting)
I guess Firefox is smart in requiring signed extensions:
Re: (Score:3)
This is just massively stupid.
So if Google accepts an illegitimate "official" upload, there is no way to verify. Maybe it wasn't MEGA, maybe someone compromised their account---or maybe the Chrome extension site got hacked (and Google hasn't even noticed yet). Without the developer's signature, there's no way for an outside party to be sure that they submitted an app full of malware.
Whoever signs the code owns the problem. If Google doesn't want to be held accountable, they shouldn't be signing extensions.
Re: (Score:3)
Google signs them to prove the official account uploaded the extension.
If mega lost control of their account, what makes you think they wouldn't have lost their private signing key if one was required?
Re: (Score:2)
Signing code is a different workflow than uploading to Google. Also, why not just let both Google and the publisher sign the code, which each signature imparting different meaning?
Re: (Score:2)
Who's going to verify the publishers signature?
You'll need someone you trust to hold the relevant public keys. How is the browser going to know where to find the public key to verify the publishers signature? From a copy held by the Chrome Store? Uploaded using the publishers account, which is what was compromised?
Or verify that Google has signed their signing certificate? Signed using the publishers account to verify their identity?
The application can't do it itself, as that's what is compromised.
You haven
Re: (Score:2)
Compromising the account does not imply that the PKI is also compromised. Updating the public key can require a stringent protocol.
Re: (Score:2)
And the managing of the account that allows anyone who controls it to send automatic updates of arbitrary code to hundreds of thousands, perhaps millions of customer devices, is not as important?
Do you also realise that having the publisher sign the code too requires the device to explicitly trust the publisher, or trust someone else who has signed their certificate?
Mozilla realised this is pointless, you may as well sign it with the party the browser already trusts. You don't sign your own extensions anymo
Re: (Score:2)
I'll simlply defer to what MEGA stated:
Re: (Score:2)
So they signed something that no one is going to check.
Yeah, i'd trust them with security.
Re: (Score:2)
And here's another issue (Score:3)
In Firefox you can disable automatic addons updates and have their new version scanned at least via virustotal which is not a warranty that they are innocuous but at least something. In Chrome extensions updates are fully automatic and if the extension owner has his account hacked (or extensions are sometimes sold) a new version of an extension with new virus "features" might be pushed, "checked" automatically by Google and since their systems often miss malware then you're fucked.
That's the reason why for banking I have a separate Firefox account with just uBlock Origin and nothing else.
Re: (Score:2)
And here's another thought: Google and Mozilla don't spend nearly enough resources to properly verify extensions/addons and since they are so powerful by default (pretty much all extensions/addons for Chrome/Firefox require full access to all websites), all your in-browser data is completely jeopardized and for many people that's all the important data they have: passwords and cloud accounts.
I don't quite understand how JS in addons/extensions work but I don't think it's such a tall order to limit their a
Nobody has mentioned THIS? (Score:3)
Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users.
So, Goog can remotely access my browser and disbable an extension?
Sounds like another good reason to tell Goog to fuck off.
Re: (Score:3)
Re: (Score:3)
Surprise! You thought you were just installing a browser.... but instead you are installing an application platform and remote telemetry vehicle!
Re: (Score:2)
Is sometimes use Chromium, without adding plug-ins/extensions.
Am I vulnerable through bare Chromium to automated data collection (beyond that my ISP, amongst others, can see what websites I visit when I don't use Tor)?
Re: (Score:2)
Alternatively, they could have yet you run malicious code.
they also told you they'd do that too, btw
20. Additional Terms for Extensions for Google Chrome
20.1 These terms in this section apply if you install extensions on your copy of Google Chrome. Extensions are small software programs, developed by Google or third parties, that can modify and enhance the functionality of Google Chrome. Extensions may have greater privileges to access your browser or your computer than regular webpages, including the ability to read and modify your private data.
20.2 From time to time, Google Chrome may check with remote servers (hosted by Google or by third parties) for available updates to extensions, including but not limited to bug fixes or enhanced functionality. You agree that such updates will be automatically requested, downloaded, and installed without further notice to you.
20.3 From time to time, Google may discover an extension that violates Google developer terms or other legal agreements, laws, regulations or policies. Google Chrome will periodically download a list of such extensions from Google’s servers. You agree that Google may remotely disable or remove any such extension from user systems in its sole discretion.
Re: (Score:2)
http://kb.mozillazine.org/Bloc... [mozillazine.org]
It's not the first nor the last. You can see the list here for Firefox: https://blocked.cdn.mozilla.ne... [mozilla.net]
NSA has the accces required (Score:1)
granted by Google, after an appropriate court order was served up. America's government fights for their own corporate, of course, and they want their own Google and Microsoft to have all the customers and a monopoly on these and other internet services.
Easy access, great opportunity to try to destroy Mega, and get customers. If you have enough customers, you effectively have complete control.
Re: (Score:1)
That's why Google removed the extension from their store and disabled it in all browsers?
Your conspiracy theory makes no sense at all.
Still rockin' IE... (Score:1)
...and I have NO extension...
Re: (Score:2)
Re: (Score:1)