MEGA.nz Chrome Extension Had Malicious Code that Stole Private Keys

The Chrome extension for MEGA.nz, a file sharing service, has been hosting a malicious code that was able to extract usernames, passwords, and private keys for cryptocurrency wallets, ZDNet reports. The problem was discovered in the source code of the MEGA.nz official Chrome extension. MEGA.nz released an update on Tuesday.

Analysts found that the malicious code became active on websites like Google, Microsoft, Amazon, and GitHub among others. It also triggered on cryptocurrency wallets such as MyEtherWallet and MyMonero, and on the IDEX crypto exchange platform.

The compromised code could record usernames and passwords, thus allowing hackers to enter the accounts on behalf of the users. If the site supported a cryptocurrency like Bitcoin, the attackers would also steal the private keys to move the funds. The extension would then redirect all data to a server hosted in Ukraine.

Google engineers have already removed the extension from its store and disabled it for current users. Those who used the MEGA.nz extension can check to make sure that it has been disabled. They should also change their passwords at the targeted services and transfer the crypto funds to other accounts.

The first person to find the malicious code was an Italian developer who works for Monero Project nicknamed SerHack.

Initially, Google and MEGA.nz hesitated to provide any comments, but a MEGA.nz spokesperson later told ZDNet:

“We would like to apologize for this significant incident. We are currently investigating the exact nature of the compromise of our Chrome webstore account.”

Soon, the New Zealand-based service published a blog post on its site explaining the situation, expressing their concerns about Google’s poor security methods.

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the blog reads.

In the past two years, several extensions have hosted malicious codes that could permit hackers to get the access to users’ cryptocurrency funds.

In April of this year, Google started to remove cryptocurrency mining extensions from its store, blocking the entry for the new ones.