Ir al contenido principal

Security warning for MEGA Chrome extension users



On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.
Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach.
You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.
Users accessing https://mega.nz without the Chrome extension have not been affected.
We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.
We are currently investigating the exact nature of the compromise of our Chrome webstore account.

Comentarios

Publicar un comentario

Entradas populares de este blog

MEGA adds Two-Factor Authentication

MEGA now supports the option of two-factor authentication across all of our major apps, allowing you to protect your account from fraudulent access and helping to ensure your data is kept safe. MEGA has implemented the TOTP time-based shared secret method, rather than the weaker SMS or email based two-factor authentication systems, as described  here . To use two-factor authentication with MEGA, you will need to have an authenticator app installed, usually on your mobile device, which will generate the code you need to login to MEGA’s system and access your account.   How it works Once you have installed an authenticator app and enabled 2FA authentication on your account, MEGA will prompt you for a 6-digit code after you log in using your email address & password. Without this 2FA code, you will not be able to log in. This prevents access by anyone else who has managed to gain access to your password through breaches in other systems. Each code is valid for 30 ...
Publicar un comentario
Leer más

Sincronización automática y fácil entre tu ordenador y tu nube MEGA.

Sincronización y mucho más con la aplicación de escritorio MEGA Para todas las plataformas principales Compatible con Windows, macOS y Linux, permite la sincronización entre diferentes plataformas. Streaming de archivos directamente desde MEGA La aplicación de escritorio te permite hacer streaming de cualquier archivo desde tu nube MEGA o desde un enlace de archivo, directamente en tu reproductor favorito. Retención de datos eliminados MEGAsync mueve los archivos eliminados a una carpetas especial en tu ordenador y en tu nube MEGA para que puedan ser restaurados si es necesario. Gestor de transferencias potente Control total sobre las transferencias activas y completadas: es posible priorizar, pausar/reanudar, abrir, generar enlaces y más ... Gestión directa de enlaces MEGA Control de parámetros de red Control total de las transferencias Fácil sincronización automática Accede y trabaja con tus datos de forma segur...
Publicar un comentario
Leer más

Disaster Recovery - Backup your Data NOW!

The recent global WannaCry ransomware cyber attack has caused significant disruption to many users, even including large businesses and public services. That disruption could have been minimised if they had adequate backup arrangements so data could be recovered safely, rather than having to pay a ransom and hoping that the hackers honour their word to decrypt the locked devices. MEGA provides secure cloud storage that is ideal for backup and recovery. Files are stored securely in the cloud and can be recovered at any time.  MEGAsync for Windows, macOS and Linux  automatically saves local files into the cloud with the same folder structure as on a local device. Even files that are deleted or overwritten locally can still be recovered from the rubbish bin in the cloud drive. MEGAsync operates efficiently in the background to provide peace of mind, even for novice users. For more advanced users,  MEGAcmd  allows businesses to use command-line tools to write back...
Publicar un comentario
Leer más