MEGA, a New Zealand-based cloud storage and file hosting service, recently issued a security warning regarding a "trojaned" version of its extension that an unknown attacker uploaded to the Chrome Web Store. The malicious update, version 3.39.4, asked for permission to read and change data on websites that users visited. The MEGA team noted that affected sites included amazon.com, github.com, google.com, myetherwallet.com, and mymonero.com, among others.
Four hours after the security breach, MEGA updated the malicious version with a "clean" one (3.39.5). An hour after that, Google removed the extension from the Chrome Web Store. As of press, 3.40.2 is available for download.
Individuals were only affected by the hack if they had the MEGA Chrome extension installed when the attack occurred and had the auto-update feature enabled and accepted the additional permission request (or if they downloaded 3.39.4 directly from the web store). The MEGA crew further told users that if they visited any site during the attack, then they should "consider that [their] credentials were compromised on these sites and/or applications."
Although the hack affected various data and information across multiple websites, the attack specifically exposed users' cryptocurrency accounts associated with the extension. Both MyEtherWallet and Monero, for instance, warned their users about the compromise over Twitter:
Some MyEtherWallet users were also affected in July when the Hola Chrome extension was hacked.
The MEGA crew believes the recent incident is related to a change on Google's end that disallows publisher signatures on Chrome extensions. Apparently, Google "is now relying solely on signing [extensions] automatically after upload to the Chrome webstore, which removes an important barrier to external compromise." The team indicated that its Firefox extension would not have been able to experience this type of attack.
MEGA is looking into the nature of the hack.