Skip to main content
  1. Home
  2. Computing
  3. News

Hacked Chrome extension disguised as legitimate version steals logins

Add as a preferred source on Google
Chrome OS
Image used with permission by copyright holder

Cloud storage service Mega.nz revealed that it was hacked on Tuesday, September 4, and users who had installed the service’s Chrome browser extension may have had their passwords to other internet services compromised. The malicious version of the browser extension was uploaded to the Chrome web store by hackers in an effort to gain access to user’s logins for sites such as Amazon, Google, GitHub, and Microsoft. The passwords were sent to a Ukraine-based server.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” Mega.nz said in a blog post. “You are only affected if you had the MEGA Chrome extension installed at the time of the incident, auto update enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” Users accessing the service by typing in the URL into the browser are not affected.

Recommended Videos

In order to gain access to your passwords, Mega.nz explained that the malicious extension asks for elevated permissions, such as the ability to read and change data on all websites you visited, something that the legitimate version of the extension does not require or ask for. If you’re downloading a browser extension, computer program, or app from the internet — even from what is believed to be a trusted source, as this case proves — you should always review what permissions you’re granting. Additionally, users should also try to limit what they install to stay safe.

Users who downloaded the hacked version of the Chrome extension are advised to change their passwords for any affected sites that they use, including amazon.com, live.com, github.com, google.com (for web store login), myetherwallet.com, mymonero.com, and idex.market. Additionally, if you had submitted any information through web forms as plain text, hackers may have been able to capture that information as well.

It’s not immediately clear how hackers were able to hijack Mega.nz’s account to upload the malicious version of the browser extension to the Chrome web store or how many users were affected, though Mega.nz boasts having 100 million registered users. After the breach was discovered, Mega.nz uploaded a clean version of the extension, version 3.39.5, to the Chrome web store. If you had downloaded the trojanized version of the extension, the browser extension should auto-update to the clean version. Google has also removed the malicious version of the extension.

The best bet to stay safe when it comes to browser extension is to not download any extension you won’t need. Like malicious apps, there have been reports in the past of malicious extensions. However, as the incident with Mega.nz demonstrates, even legitimate extension can be hacked, leaving your passwords exposed.

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
South Korea wants to give every citizen free, unlimited access to its own AI chatbot
The government-backed service could turn generative AI into public infrastructure instead of another monthly subscription
Electronics, Mobile Phone, Phone

South Korea wants to give every citizen free access to an AI chatbot with no usage limits. That puts the technology closer to a public utility than another premium service demanding a monthly subscription.

The Ministry of Science and ICT announced the AI for Everyone project on July 13. Private companies will build the platform around locally developed models, while a separate AI agent will help people navigate government services. It’s a more practical job than generating emails or settling arguments nobody wanted to research themselves.

Read more
Falling in love with a chatbot is now off limits for kids in China
The crackdown targets emotional AI relationships as regulators worry about the country's record low birthrate.
Replika AI companion app on an iPhone in hand

Ever since AI chatbots arrived on the scene, there has been one aspect that has worried lawmakers and experts a lot: humans forming emotional connections with chatbots. There have been plenty of cases where over-reliance on these AI companions or partners has resulted in medical emergencies, lost lives, and triggered multiple lawsuits against the likes of OpenAI and Meta.

China cracks down on AI companion apps

Read more
Russian hackers keep finding their way into critical networks through neglected routers
A multinational warning says outdated firmware, weak passwords, and insecure settings are giving state-backed attackers an easy opening
A Wi-Fi router next to a laptop.

Russian state-backed hackers have spent more than a decade exploiting a stubborn weakness in critical infrastructure networks. Organizations are still leaving poorly configured and outdated routers exposed to the internet.

In a joint cybersecurity advisory, the NSA, CISA, FBI, and international partners warn that hackers linked to Center 16 of Russia’s Federal Security Service are continuing to target vulnerable networking equipment. Energy, healthcare, and government networks are among the sectors facing the highest risk.

Read more