Another Chrome Extension Is Stealing Passwords

Do you use the Chrome browser extension for the MEGA file storage service? If you do, please read this article carefully. The official extension for that service has been compromised. It has been replaced with a malware version that has the capability to steal user login data for a number of popular websites, including Github, Google, Amazon, Microsoft and more.

The extension was compromised on September 4th, when an unknown attacker breached MEGA’s Chrome Web Store account and uploaded the poisoned version of the extension. Any user who installs it is at risk of having their other login credentials stolen.

It gets worse. If you allow auto-updates, then the poisoned version of the extension would have automatically “updated” on your PC or smartphone when the malware was uploaded. Note that when the extension attempted to update, it would have asked users for elevated permissions. Those elevated permissions would allow the extension access to personal information, which is the mechanism by which the credentials are stolen.

The poisoned file was in place for a total of four hours before it was found, eradicated and replaced by a clean version (version 3.39.5).

According to MEGA:

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, auto update enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4.”

If you think there’s even a chance you were impacted by this event, your best bet would be an across-the-board change of all your passwords, as there’s no way to be sure which ones may have been compromised.

Two things to note here: The Firefox extension was not impacted. This applies only to chrome users who have the MEGA extension installed. Also, you should check your extension version number immediately to be sure you’re not running version 3.39.4. If you are, uninstall it immediately and grab the clean version referenced above.

Used with permission from Article Aggregator

Share this post: