Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Security IT Technology

Official Chrome Extension of Cloud Storage Service Mega Caught Stealing Passwords, Cryptocurrency Private Keys (zdnet.com) 59

The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet reports. From the report: The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today. Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users. According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform. The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.
This discussion has been archived. No new comments can be posted.

Official Chrome Extension of Cloud Storage Service Mega Caught Stealing Passwords, Cryptocurrency Private Keys

Comments Filter:
  • So who put that code in the source?
    • by Anonymous Coward

      So who put that code in the source?

      The 'source', of course. Yeah, I'll show myself the door now.

    • I don't understand. Why do I need an extension? I can access Mega with my browser just fine without any extensions. What sort of fucktardedness is this?

  • ...Frosty piss

  • by bogie ( 31020 ) on Wednesday September 05, 2018 @02:02PM (#57258512) Journal

    Chrome has a terrible record for this. And the worst part is I use Chrome. Have a bunch of extensions I count on daily. I'm guessing the Ublock Origin extension is safe but for my and your other less popular but still super helpful extensions you and I are taking HUGE risks every day by using them.

    Get your shit together Google.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You can't count on Google to patrol everything compatible with them. You should ONLY install extensions from known-good developer shops. The fact that something this widespread was a trojan is BAD NEWS, you're right.

      • by Jerry ( 6400 ) on Wednesday September 05, 2018 @05:27PM (#57260078)

        moz-extension://a90b9c76-acf4-4c11-9730-76c34d348fef/mega/secure.html#blog_47

        "On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated. ...

        We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

      • How do you know if a developer shop is "good"?
    • Remember how they said that they will become Chrome^W^Wswitch to Chrome-style extensions, precisely so they could prevent things like this from happening?

      I hope the entire idiotic inner-platform effect "web platform" dies a horrible death.
      BTW: Is there a "platform" running ON "HTML5" yet? (Without employing WebAssembly, and risking things being easily compilable for the OS below, of course. And without merely running a virtual machine, like JSLinux.)

    • by Sloppy ( 14984 )

      Get your shit together Google.

      WTF. Google recommended people use this extension?! The article left that out.

      If you want someone else to adjudicate what software is good/bad for you, perhaps you might be happier with an iPad or XBox or PlayStation.

  • This (Score:2, Insightful)

    This kind of crap is why I never install any extensions.

    • by Anonymous Coward

      This kind of crap is why I never install any extensions.

      Really? Because without certain kinds of extensions/add-ons, the web is really pretty much unusable.

      Right now in my Chrome, I have 4 different privacy plugins to block the living shit out of the ad companies, trackers, and other parasites.

      I can mark sites as not being able to set cookies, run scripts, and in some cases, not be contacted at all (Facebook, Twitter, etc).

      I wouldn't use the internet if I didn't have plugins to block all of this shit.

      This

      • You don't need any plugins at all to do all that. I browse the web with no plugins at all.

        Get you a pihole (https://pi-hole.net/), and do that at the dns level.

        • by Anonymous Coward

          Don't worry, Firefox is getting around that with DNS over HTTPS, to satisfy the advertisers who financially back the Mozilla Foundation.

  • by Anonymous Coward

    Did he change his name to Skim Dotcom now?

  • I thought Kimmie doesn't own Mega anymore?

    Looks like someone wants to let the legacy live on...

  • unsigned extensions (Score:5, Interesting)

    by ftobin ( 48814 ) on Wednesday September 05, 2018 @02:36PM (#57258890) Homepage

    I guess Firefox is smart in requiring signed extensions:

    "Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

    • This is just massively stupid.

      So if Google accepts an illegitimate "official" upload, there is no way to verify. Maybe it wasn't MEGA, maybe someone compromised their account---or maybe the Chrome extension site got hacked (and Google hasn't even noticed yet). Without the developer's signature, there's no way for an outside party to be sure that they submitted an app full of malware.

      Whoever signs the code owns the problem. If Google doesn't want to be held accountable, they shouldn't be signing extensions.

      • Google signs them to prove the official account uploaded the extension.
        If mega lost control of their account, what makes you think they wouldn't have lost their private signing key if one was required?

        • by ftobin ( 48814 )

          Signing code is a different workflow than uploading to Google. Also, why not just let both Google and the publisher sign the code, which each signature imparting different meaning?

          • Who's going to verify the publishers signature?
            You'll need someone you trust to hold the relevant public keys. How is the browser going to know where to find the public key to verify the publishers signature? From a copy held by the Chrome Store? Uploaded using the publishers account, which is what was compromised?
            Or verify that Google has signed their signing certificate? Signed using the publishers account to verify their identity?

            The application can't do it itself, as that's what is compromised.

            You haven

            • by ftobin ( 48814 )

              Compromising the account does not imply that the PKI is also compromised. Updating the public key can require a stringent protocol.

              • And the managing of the account that allows anyone who controls it to send automatic updates of arbitrary code to hundreds of thousands, perhaps millions of customer devices, is not as important?

                Do you also realise that having the publisher sign the code too requires the device to explicitly trust the publisher, or trust someone else who has signed their certificate?

                Mozilla realised this is pointless, you may as well sign it with the party the browser already trusts. You don't sign your own extensions anymo

                • by ftobin ( 48814 )

                  I'll simlply defer to what MEGA stated:

                  MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

    • Funny thing, is, Chrome requires a signature too, but I guess Google thought it was too complicated for developers and abstracted it away (the web store signs it for you on upload. Of course, even if Google switched to requiring devs to sign with their own keys, it doesn't matter if you sell your extension to someone; they'll just switch to asking for your key as part of the deal.
  • by Artem S. Tashkinov ( 764309 ) on Wednesday September 05, 2018 @03:02PM (#57259088) Homepage

    In Firefox you can disable automatic addons updates and have their new version scanned at least via virustotal which is not a warranty that they are innocuous but at least something. In Chrome extensions updates are fully automatic and if the extension owner has his account hacked (or extensions are sometimes sold) a new version of an extension with new virus "features" might be pushed, "checked" automatically by Google and since their systems often miss malware then you're fucked.

    That's the reason why for banking I have a separate Firefox account with just uBlock Origin and nothing else.

    • And here's another thought: Google and Mozilla don't spend nearly enough resources to properly verify extensions/addons and since they are so powerful by default (pretty much all extensions/addons for Chrome/Firefox require full access to all websites), all your in-browser data is completely jeopardized and for many people that's all the important data they have: passwords and cloud accounts.

      I don't quite understand how JS in addons/extensions work but I don't think it's such a tall order to limit their a

  • by rudy_wayne ( 414635 ) on Wednesday September 05, 2018 @03:19PM (#57259222)

    Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users.

    So, Goog can remotely access my browser and disbable an extension?

    Sounds like another good reason to tell Goog to fuck off.

    • Unfortunately most users have proven to be irresponsible when it comes to keeping their PCs secure. Forced Windows Updates and measures like this are the result.
    • Surprise! You thought you were just installing a browser.... but instead you are installing an application platform and remote telemetry vehicle!

      • Is sometimes use Chromium, without adding plug-ins/extensions.

        Am I vulnerable through bare Chromium to automated data collection (beyond that my ISP, amongst others, can see what websites I visit when I don't use Tor)?

    • Alternatively, they could have yet you run malicious code.

      they also told you they'd do that too, btw

      20. Additional Terms for Extensions for Google Chrome

      20.1 These terms in this section apply if you install extensions on your copy of Google Chrome. Extensions are small software programs, developed by Google or third parties, that can modify and enhance the functionality of Google Chrome. Extensions may have greater privileges to access your browser or your computer than regular webpages, including the ability to read and modify your private data.

      20.2 From time to time, Google Chrome may check with remote servers (hosted by Google or by third parties) for available updates to extensions, including but not limited to bug fixes or enhanced functionality. You agree that such updates will be automatically requested, downloaded, and installed without further notice to you.

      20.3 From time to time, Google may discover an extension that violates Google developer terms or other legal agreements, laws, regulations or policies. Google Chrome will periodically download a list of such extensions from Google’s servers. You agree that Google may remotely disable or remove any such extension from user systems in its sole discretion.

    • http://kb.mozillazine.org/Bloc... [mozillazine.org]

      It's not the first nor the last. You can see the list here for Firefox: https://blocked.cdn.mozilla.ne... [mozilla.net]

  • by Anonymous Coward

    granted by Google, after an appropriate court order was served up. America's government fights for their own corporate, of course, and they want their own Google and Microsoft to have all the customers and a monopoly on these and other internet services.

    Easy access, great opportunity to try to destroy Mega, and get customers. If you have enough customers, you effectively have complete control.

    • That's why Google removed the extension from their store and disabled it in all browsers?
      Your conspiracy theory makes no sense at all.

  • by Anonymous Coward

    ...and I have NO extension...

  • Comment removed based on user account deletion

Pascal is not a high-level language. -- Steven Feiner

Working...