Hacked Chrome extension disguised as legitimate version steals logins

Chrome OS

Cloud storage service Mega.nz revealed that it was hacked on Tuesday, September 4, and users who had installed the service’s Chrome browser extension may have had their passwords to other internet services compromised. The malicious version of the browser extension was uploaded to the Chrome web store by hackers in an effort to gain access to user’s logins for sites such as Amazon, Google, GitHub, and Microsoft. The passwords were sent to a Ukraine-based server.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” Mega.nz said in a blog post. “You are only affected if you had the MEGA Chrome extension installed at the time of the incident, auto update enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” Users accessing the service by typing in the URL into the browser are not affected.

In order to gain access to your passwords, Mega.nz explained that the malicious extension asks for elevated permissions, such as the ability to read and change data on all websites you visited, something that the legitimate version of the extension does not require or ask for. If you’re downloading a browser extension, computer program, or app from the internet — even from what is believed to be a trusted source, as this case proves — you should always review what permissions you’re granting. Additionally, users should also try to limit what they install to stay safe.

Users who downloaded the hacked version of the Chrome extension are advised to change their passwords for any affected sites that they use, including amazon.com, live.com, github.com, google.com (for web store login), myetherwallet.com, mymonero.com, and idex.market. Additionally, if you had submitted any information through web forms as plain text, hackers may have been able to capture that information as well.

It’s not immediately clear how hackers were able to hijack Mega.nz’s account to upload the malicious version of the browser extension to the Chrome web store or how many users were affected, though Mega.nz boasts having 100 million registered users. After the breach was discovered, Mega.nz uploaded a clean version of the extension, version 3.39.5, to the Chrome web store. If you had downloaded the trojanized version of the extension, the browser extension should auto-update to the clean version. Google has also removed the malicious version of the extension.

The best bet to stay safe when it comes to browser extension is to not download any extension you won’t need. Like malicious apps, there have been reports in the past of malicious extensions. However, as the incident with Mega.nz demonstrates, even legitimate extension can be hacked, leaving your passwords exposed.


Mozilla’s built-in price-tracking extension makes it easy to shop with Firefox

Mozilla has heard those worries about Black Friday shopping, and is now introducing a new set of experimental extensions which aim to make it easier to find the best deals online.

Keep on clicking with the 10 best browsers for Android

Browsing the web on an Android device should not be a pain. Check out our picks for the best browsers for Android, so you can surf the web with greater ease and access a trove of unique features.

Google focuses on making ecommerce safer with the launch of Chrome 71

Starting in December, Google will begin warning web surfers if they're visiting a website with unclear billing terms. Chrome 71 will alert you with a warning when you stumble on a website with deceptive billing practices.

Lost without 'Print Screen'? Here's how to take a screenshot on a Chromebook

Chrome OS has a number of built-in screenshot options, and can also be used with Chrome screenshot extensions for added flexibility. You have a lot of options, but learning how to take a screenshot on a Chromebook is easy.

AMD is pulling ahead in the die shrink race with 7nm CPUs and graphics cards

AMD might have played second fiddle to Intel and AMD for a long time, but it has the potential to leapfrog both when it debuts its new 7nm CPUs and graphics cards in 2019, leading the die-shrink race for the first time in years.

Black Friday 2018: The best deals so far

Black Friday is the biggest shopping holiday of the year, and it will be here before you know it. If you can't wait until November 23 to start formulating a shopping plan, we've got you covered.

Stay connected with the Surface Go LTE Advanced, coming November 20 for $679

The new Surface Go LTE Advanced model delivers benefits for anyone who is looking to enjoy LTE coverage and stay connected on Windows 10 when traveling on the road or away from home.

Cloudflare’s privacy-enhancing DNS service comes to iOS and Android

Cloudflare's DNS resolver service has been ported to mobile devices, and now anyone with an Android or iOS device can download it for free to take advantage of its speed and privacy-boosting features.

The plug-and-play PC Classic joins the retro console bandwagon

Gaming company Unit-e is creating the PC Classic, a plug-and-play retro console that will come bundled with around 30 of the best DOS games. The system will support gamepads and keyboard setups.

Is your PC slow? Here's how to restore Windows 10 to factory settings

Computers rarely work as well after they've accumulated files and misconfigured settings. Thankfully, with this guide, you'll be able to restore your PC to its original state by learning how to factory reset Windows.

Best Buy’s pre-Black Friday deal takes $330 off the 2017 Surface Pro bundle

If you don't need the latest Surface Pro, Best Buy has a heavily discounted rendition of the 2017 model available in its pre-Black Friday sale. For just $1,000, you can get the tablet with a Core i5 CPU.

If you've lost a software key, these handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.

Buying a laptop on Black Friday? Don't make one of these rookie mistakes

Shopping for a laptop on Black Friday can win you some excellent deals, but you should also avoid making common mistakes. Check out what to avoid when buying a laptop for Black Friday and what danger signs to be wary of.

The Mac mini's price jump has crept into iMac territory. How do they compare?

Apple announced a long-awaited update to the Mac mini. Thanks to the updated specs and increase in price, it's begun to creep up to the base model iMac. In this guide, we now put up the specs on the newest refreshed Mac mini against the…