Trojanized Extension Uploaded to Google’s Chrome Store

Friday, September 07, 2018

Ionut Arghire


A trojanized version of the MEGA extension was uploaded to the Google Chrome webstore earlier this week and was automatically pushed to users via the autoupdate mechanism.

Through this extension, users get direct access to the MEGA secure cloud storage service in their browser, for improved performance. Also available on Android, the extension is highly popular, with over 1.7 million downloads in the Chrome store (it is also available on MEGA’s website).

On September 4, the cloud storage service announced that an unknown attacker managed to upload a trojanized iteration of the extension (version 3.39.4) to the Google Chrome webstore. The malicious code would immediately be sent to users who had the autoupdate feature enabled.

Once installed, the rogue extension would ask users to allow it to read and change all the data on the websites they visit. Armed with the elevated permissions, the malicious application version would attempt to gather user credentials and send them to a server located in Ukraine, MEGA reveals.

The code was targeting credentials for sites such as,,, (for webstore login),,,, and HTTP POST requests to other sites, but did not target credentials.

According to MEGA, the rogue extension version was removed from the Chrome store and replaced with a legitimate iteration (version 3.39.5) four hours after the breach occurred. The clean variant was served to users through the autoupdate mechanism. Google removed the extension from the webstore five hours after the breach.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” MEGA says.

All users who might have visited sites that send plain-text credentials through POST requests (or used another extension that does so) while the trojanized extension was active likely had their credentials compromised, on those sites and/or applications.

The issue, MEGA says, is that Google disallows publisher signatures on Chrome extensions and only relies on signing them automatically after upload to the Chrome webstore.

Thus, although the company uses “strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” Google’s policy “removes an important barrier to external compromise.”

Both MEGAsync and the service’s Firefox extension, which are hosted by the company, are signed and “could therefore not have fallen victim to this attack vector,” MEGA claims. The mobile apps, which are hosted by Apple/Google/Microsoft, are also cryptographically signed, therefore immune as well.

The company hasn’t provided details on how the Chrome webstore account was compromised but is investigating the incident.

Related: Google Removes Inline Installation of Chrome Extensions

Related: Half Million Impacted by Four Malicious Chrome Extensions


Possibly Related Articles:
malware Extension
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.