MEGA secure upload service gets its Chrome extension hacked

Remember MEGA – or, more precisely, Megaupload as it once was?
Sure you do!
It was a New Zealand cloud storage business masterminded by Kim Dotcom, a larger-than-life digital-era entrepreneur (Dotcom is literally as well as figuratively big, standing more than 2m tall).
Megaupload is no more, having ended up embroiled in piracy allegations that led to a controversial raid on Dotcom’s home, Dotcom’s high-profile arrest, and the demise of the company.
Dotcom himself is still in New Zealand, where he’s been fighting extradition to the US for the past six years.
As far as we know, three Kiwi courts have already pronounced that his extradition can go ahead, so Dotcom is down to his final legal appeal now, assuming he can persuade the Supreme Court to hear his case.

After the bust

After the bust, the Megaupload service noisily reinvented itself, minus the controversial word “upload”, as the capital-lettered MEGA, bullishly and very pointedly launching on the anniversary of Dotcom’s arrest.
MEGA took the approach that by doing all its cryptography right in your browser, instead of relying on encrypted sessions terminating at the company’s servers, it wouldn’t know and would never be able to tell what you had uploaded.
The only person who would ever have copies of the cryptographic keys used for scrambling and unscrambling your files would be you – just as if you encrypted them offline on a USB drive and then uploaded a sector-level disk image of the already-encrypted data.

The new-look MEGA service announced itself as truly secure cloud storage and argued that it could never again be accused of knowingly contributing to copyright infringement.
Similarly, there would be no point in any law enforcement agency appealing to MEGA to decrypt customer data, with or without a warrant.
The company simply couldn’t comply with any such request in the first place, so it could never be accused of refusing to comply.

If this sounds familiar in 2018, it’s because true end-to-end encryption has become mainstream since Mega’s launch in 2013, and is now implemented in many of today’s mobile and web-based products, notably messaging apps and password managers.
As for Kim Dotcom, well, he fell out with Mega in 2015, claiming that he no longer trusted the site for a variety of rather vague reasons related to Chinese investment, New Zealand government involvement and Hollywood interference.
MEGA, for its part, is sailing along without Dotcom, dubbing itself as “The Privacy Company,” with an enviably simple tagline of user-encrypted cloud services.

OK, that’s enough by way of introduction.
(We took our time about it because we thought the company’s history, both legally and cryptographically, was interesting – and intriguing! – enough to repeat here.)
Today’s story isn’t about any of that – it deals with a security advisory issued yesterday by MEGA, warning that a hacked version of its Chrome browser plugin ended up in the Chrome webstore for several hours.
Somehow, crooks got hold of MEGA’s webstore upload credentials, built a bogus version of the company’s plugin that was Trojanised with password-stealing code, and uploaded it as the latest official release.
One of Chrome’s big security features, of course, is automatic updating, so anyone who was online during the danger period (2018-09-04T14:30Z to 2018-09-04T18:30Z) may very well have received the malware-laden version.
According to MEGA, the infected extension sniffed out and stole “credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, [and] idex.market.”
Additionally, says MEGA, “HTTP POST requests to other sites” were logged and exfiltrated, too.

What does this mean?

As far as we can make out from MEGA’s rather brief statement, what this means is that any credentials for the abovementioned sites would have been sniffed out and stolen by the crooks.
Also, just about any data you entered in a web form (or any file you uploaded) on any non-HTTPS website was probably stolen, too.
Ironically, it looks as though Google’s walled garden safety procedures only kicked in after five hours, an hour after MEGA had managed to overwrite the bogus update (3.39.4) with a legitimate one (3.39.5).
As a result, the MEGA extension is currently no longer available at all on the webstore – not even the updated one that overwrote the imposter.
(At the time of writing [2018-09-05T16:30Z], there were several extensions using MEGA’s logo and brand name, apparently none of which were the real deal.)
In another irony, noted by MEGA in its security report, Chrome extensions accepted for the webstore are digitally signed by Google on behalf of their creators.
This official digital signature is therefore applied by Google after an unsigned extension is uploaded, rather than applied by the creator before the upload happens.
In other words, once the crooks had got hold of MEGA’s webstore login credentials, they’d already hit a home run because they didn’t need MEGA’s code signing keys as well – they could upload unsigned code that Google would sign for them.
And, in a final irony, passwords for and data stored on MEGA itself weren’t targeted by the poisoned extension – whether that was a backhanded compliment from the crooks, or a bit of a slap in the face, we can’t say.

What to do?

• If you don’t use MEGA, you can relax.
• If you use MEGA but don’t use Chrome, you can relax.
• If you use MEGA and Chrome but have never installed the MEGA extension, you can relax.
• If you had the affected extension installed during the time window listed above, consider changing all your passwords.
• If you aren’t using a password manager, consider trying one now. Password managers are particularly helpful when you need to change a whole lot of passwords at the same time.
• If you aren’t using two-factor authentication (2FA), consider it now. We’re guessing that at least some of MEGA’s developers weren’t using 2FA, and that the crooks got in more easily as a result.

As for Google’s code signing policies, we’re inclined to agree with MEGA here: requiring signed uploads would be a good thing.
Even if the extension ultimately ends up signed by Google instead of the creator, surely the additional step of digital validation that Google could carry out when updating an extension would make things harder for the crooks?