Technology, Top News

Kim DotCom’s Mega gets pwned, company blames Google, of course

ITS BEEN quiet on the Kim DotCom front since he lost his latest attempt to avoid extradition to the US, charged with enabling piracy via the now defunct MegaUpload.

But fret not, because our favourite rotund internet celebrity is back – but it’s not good news.

A report in The Next Web suggests that Mr DotCom’s latest venture, another file-sharing site called Mega, has been hacked to steal credentials and cryptocurrency.

It appears that Mega’s Chrome browser extension had been cloned and uploaded to the Chrome Web Store, and seemingly the upload came from MEGAs developer account.

Anyone who used that version, available for five hours before it was intercepted, may well need to check their blockchain piggy bank and beyond, with MyEtherWallet, MyMonero, IDEX, Amazon, Microsoft, and Google accounts all ripe for the pwning by whoever is responsible. Github and HTTP POST requests are also affected.

Mega is suggesting that the hacked data is being sent to somewhere in Ukraine:

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome web store. Upon installation or auto update, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites.”

Perhaps most irritating for victims is that last bit – there’s no need to change your Mega credentials (though you probably should) just every other ruddy credential that might have been pwned.

It adds:

“Mega uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible.

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome web store, which removes an important barrier to external compromise. Megasync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

We are currently investigating the exact nature of the compromise of our Chrome web store account.”

So basically – Mega is blaming Google. Because that’s going to wash, isn’t it. Sigh. 

Usual rules apply – if in doubt – change all the passwords, and if you’re not using 2FA on everything you can, then more fool you. μ

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend