The security of digital assets remains a key concern as hacks are becoming a common phenomenon. Now, the MEGA Chrome extension (latest version 3.39.4) has been compromised and can steal user’s Monero in addition to other sensitive information, according to Monero's post on social media platforms Twitter and Reddit. The official Twitter account of Monero (XMR) posted a warning, advising XMR holders to steer clear of MEGA:
PSA: The official MEGA extension has been compromised and now includes functionality to steal your Monero: https://t.co/vzWwcM9E5k— Monero || #xmr (@monero) September 4, 2018
MEGA, a New Zealand-based company offering cloud storage and file hosting services also posted an announcement with details: "On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated."
Also Read: All you wanted to know about Monero
Another user SerHack @serhack_ tweeted:
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!— SerHack (@serhack_) September 4, 2018
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.
It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz
Redditor u/gattacus posted on Monero’s official Reddit page that they became suspicious of foul play following a request for new permission following an extension update:
Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach. MEGA said:
"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."
Earlier in February of this year, researchers from China’s 360Netlab reported that they have found a malware called ‘ADB.Miner’, which makes use of the phone’s hardware power to mine for Monero.