![]() ![]() While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. #MEGASYNC GOOGLE CHROME CODE#MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. We would like to apologise for this significant incident. Users accessing without the Chrome extension have not been affected. Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications. You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4. Google removed the extension from the Chrome webstore five hours after the breach. Note that mega.nz credentials were not being exfiltrated.įour hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including, ,, (for webstore login),, , idex.market and HTTP POST requests to other sites, to a server located in Ukraine. On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. UPDATE: MEGA has issued the following statement: Any user with this extension should immediately delete it, and decline when it asks permissions to read data on all websites. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |