We're getting reports that the latest version of the MEGA Chrome Extension was hacked.
Megasync google chrome code#
SerHack, developer of the Monero cryptocurrency, tweeted warnings that urged users to remove the extension after a review of the code revealed several cryptocurrency wallets were affected.
"It includes functionality to collect login usernames and passwords for many common websites, including but not limited to: Google, Facebook, MyEtherWallet, MyMonero, GitHub, Microsoft Live/one drive." "If you use the official MEGA Chrome extension, please stop using it immediately" a Reddit user said. According to several recent posts on Twitter and Reddit, MEGA version 3.39.4 has been compromised. The latest version of the MEGA extension for Google’s Chrome browser has been hacked to include functionality that allows the hackers to steal cryptocurrency in addition to other sensitive information. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications."įurther, META said it was investigating the exact nature of the compromise.
Megasync google chrome update#
The file-sharing host also confirmed users of the extension would have been affected if it was installed at the time of the incident, with "auto update enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.
Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise," MEGA said. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. "We would like to apologize for this significant incident. The one-hour time gap, MEGA believes, helped attackers pull off the extension hijack. In a blog post, MEGA said it updated the extension with a clean version (3.39.5) four hours after the breach occurred, while Google removed the older version of the extension from the Chrome Web Store five hours after the breach. EDT - MEGA responded to the hack of its Chrome extension and expressed dissatisfaction with Google's Chrome Web Store security measures.
0 kommentar(er)
