The MEGA Chrome extension for file hosting included JavaScript code designed to monitor web traffic in order to steal the user’s login credentials from a large selection of sites.
First Published 7th September 2018
Guilty by extension.
3 min read | Reflare Research Team
On September 4th 2018, an infosec researcher and developer on the Monero cryptocurrency project called SerHack discovered that the Chrome browser extension for the MEGA file hosting service included malware designed to steal passwords from users. After a surprisingly quick response time of fewer than 4 hours from MEGA’s IT team and additional actions taken by Google’s team to suspend the plugin, the offending code was removed. MEGA later issued a statement covering the incident and claiming that an unknown attacker had somehow gained access to the company’s Chrome Webstore account and uploaded the malware-infected version.
Impact assessment
Google Chrome automatically updates installed browser plugins. This feature is useful for keeping the plugins up to date and avoiding known vulnerabilities from lingering in users’ browsers. This time though, it also meant that any users of the MEGA plugin for Chrome who were online on September 4th 2018 while the malicious plugin was live, were likely hit by the attack. If you think you might be affected, changing all passwords for all services you use is the prudent thing to do. It is important to note that only users of the Chrome MEGA plugin were affected. Users of the MEGA plugin for other browsers or MEGA users that do not use the plugin were not exposed to any risk.
The impact of plugins
Browser plugins are one of the most dangerous and simultaneously most overlooked elements of the modern internet. Since all major browsers automatically update plugins, malware can spread across them at incredible speed. And since the vast majority of online interactions happen through a browser, malicious plugins can easily extract credentials or other information for just about any service used. Combined with the fact that many users still reuse passwords across different services, this makes a rogue plugin extremely dangerous.
Many users are unaware of just what plugins they are using or how much access they have to their data. In the early days of browser plugins, they were granted access to all data sent to and received from websites by default. In recent years, browser developers have continuously restricted the access granted by default, but it is still very common to see plugins request access to “all website data”. Since this doesn’t deter users from using the plugins, developers are not incentivized to write tighter and more secure code.
Malice vs Breaches
In the case examined above, MEGA and its users fell victim to a breach. However, the purposeful deployment of malicious plugins is equally common. Many criminals develop and publish plugins with useful functionality that contain hidden malicious features.
While less sophisticated attackers will include the malicious features from the start, more advanced criminals commonly provide only the useful features at first to build up a sizeable user base. Once enough users are using the plugin, a new version including malware is then released for maximum impact.
Likewise, an initially benevolent extension developer may fall under financial or other duress and see the inclusion of malware as a way to quickly turn a financial profit.
How can I protect myself?
The first and most important step is to gain an overview of what plugins you are currently using. Plugins tend to accumulate over time and many users aren’t aware of just how many they currently have installed.
The second step is to remove all plugins that are either not currently used or released by untrusted developers. The more permissions a plugin requires (anything from limited access to data from a single website to full access to all websites), the more trusted the developer should be. The exact judgment call can be difficult but boils down to the classic risk-reward trade-off.
From an organizational perspective, prohibiting the use of plugins altogether through technical and policy measures is a reasonable choice. If your business relies on certain plugins, they should be individually whitelisted. Still, the risks of using a plugin will usually outweigh the rewards in an organizational setting.