Bitcoin Forum
October 22, 2018, 12:40:20 AM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MEGA.nz Chrome extension caught stealing passwords, cryptocurrency private keys  (Read 103 times)
Hydrogen
Hero Member
*****
Offline Offline

Activity: 938
Merit: 677



View Profile
September 12, 2018, 06:19:22 AM
 #1

Quote
Tainted extension caught stealing passwords for Google, Microsoft, GitHub and Amazon accounts, but also Monero and Ethereum private keys.

The official Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals usernames and passwords, but also private keys for cryptocurrency accounts, ZDNet has learned.

The malicious behavior was found in the source code of the MEGA.nz Chrome extension version 3.39.4, released as an update earlier today.

Google engineers have already intervened and removed the extension from the official Chrome Web Store, and also disabled the extension for existing users.

According to an analysis of the extension's source, the malicious code triggered on sites such as Amazon, Google, Microsoft, GitHub, the MyEtherWallet and MyMonero web wallet services, and the IDEX cryptocurrency trading platform.

The malicious code would record usernames, passwords, and other session data that attackers would need to log in and impersonate users. If the website managed cryptocurrency, the attacker would also extract the private keys needed to access users' funds.

The extension would send all collected data to a server located at megaopac[.]host, hosted in Ukraine.


Chrome users who used the extension should review the Chrome browser's Extensions section and double-check that it's been disabled.

Out of an abundance of caution, all users should reset passwords at the affected services, and move cryptocurrency funds to new accounts safeguarded by new private keys.

Other extensions have been compromised with malicious code in the past two years. In most instances, past hacks happened after attackers phished extension devs and used access to their accounts to push malicious versions of legitimate extensions.

Google and MEGA.nz spokespersons did not respond to requests for comment before this article's publication.

Credit for discovering the malicious code inside the MEGA.nz Chrome extension goes to an Italian developer and contributor to the Monero Project who goes online by the pseudonym of SerHack.

A copy of the MEGA.nz Chrome extension version 3.39.4 --the one containing the malicious code-- is available via this Dropbox account. Security researchers who looked at the MEGA.nz Firefox add-on did not find any malicious code.

UPDATE [September 5, 4:00 AM, ET]: A MEGA.nz spokesperson responded to ZDNet's request for comment, confirming our report. MEGA.nz shared the following new details about the incident.

The malicious v3.39.4 version was uploaded on the Chrome Web Store on September 4, 2018, at 14:30 UTC. MEGA.nz submitted a new, clean version of the extension to the Chrome Web Store, v3.39.5, four hours later. Google's staff removed the extension one hour later and five hours after the initial breach.

"We would like to apologise for this significant incident," a MEGA.nz spokesperson said. "We are currently investigating the exact nature of the compromise of our Chrome webstore account."

In a blog post published after our initial report, MEGA.nz also showed its dissatisfaction with Google's Chrome Web Store security measures, which, they believe, helped attackers pull off the extension hijack.

"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."


https://www.zdnet.com/article/mega-nz-chrome-extension-caught-stealing-passwords-cryptocurrency-private-keys/

....

Initial data says google chrome is more vulnerable to this attack vector than firefox due to google disallowing publisher signatures of chrome extensions. Do we have info which says whether firefox is a more secure browser than chrome at this point in time? There may also other alternatives like brave browser which could be worth looking into. And of course linux and its various browser distros.

This might sound counter intuitive but does anyone get a feeling MEGA.nz will gain a largely userbase from this incident than any negative affects felt as a result of bad publicity?

1540168820
Hero Member
*
Offline Offline

Posts: 1540168820

View Profile Personal Message (Offline)

Ignore
1540168820
Reply with quote  #2

1540168820
Report to moderator
1540168820
Hero Member
*
Offline Offline

Posts: 1540168820

View Profile Personal Message (Offline)

Ignore
1540168820
Reply with quote  #2

1540168820
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1540168820
Hero Member
*
Offline Offline

Posts: 1540168820

View Profile Personal Message (Offline)

Ignore
1540168820
Reply with quote  #2

1540168820
Report to moderator
1540168820
Hero Member
*
Offline Offline

Posts: 1540168820

View Profile Personal Message (Offline)

Ignore
1540168820
Reply with quote  #2

1540168820
Report to moderator
Hydrogen
Hero Member
*****
Offline Offline

Activity: 938
Merit: 677



View Profile
September 27, 2018, 11:06:20 AM
 #2

More negative sentiment related to google's chrome browser.

Anyone concerned with privacy of their data and browser tracking related to chrome might want to read this as it details some of chrome's shifting policies in their post "dont be evil" era of history.

Quote
Why I’m done with Chrome

This blog is mainly reserved for cryptography, and I try to avoid filling it with random 512px-Google_Chrome_icon_(September_2014).svg“someone is wrong on the Internet” posts. After all, that’s what Twitter is for! But from time to time something bothers me enough that I have to make an exception. Today I wanted to write specifically about Google Chrome, how much I’ve loved it in the past, and why — due to Chrome’s new user-unfriendly forced login policy — I won’t be using it going forward.

A brief history of Chrome
When Google launched Chrome ten years ago, it seemed like one of those rare cases where everyone wins. In 2008, the browser market was dominated by Microsoft, a company with an ugly history of using browser dominance to crush their competitors. Worse, Microsoft was making noises about getting into the search business. This posed an existential threat to Google’s internet properties.

In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just by keeping the Internet open to Google’s other products. As a benefit, the Internet community would receive a terrific open source browser with the best development team money could buy. This might be kind of sad for Mozilla (who have paid a high price due to Chrome) but overall it would be a good thing for Internet standards.

For many years this is exactly how things played out. Sure, Google offered an optional “sign in” feature for Chrome, which presumably vacuumed up your browsing data and shipped it off to Google, but that was an option. An option you could easily ignore. If you didn’t take advantage of this option, Google’s privacy policy was clear: your data would stay on your computer where it belonged.

What changed?
A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. (However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. See further below.)

Your sole warning — in the event that you’re looking for it — is that your Google profile picture will appear in the upper-right hand corner of the browser window. I noticed mine the other day:

The change hasn’t gone entirely unnoticed: it received some vigorous discussion on sites like Hacker News. But the mainstream tech press seems to have ignored it completely. This is unfortunate — and I hope it changes — because this update has huge implications for Google and the future of Chrome.

In the rest of this post, I’m going to talk about why this matters. From my perspective, this comes down to basically four points:

Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.
This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.
The change makes a hash out of Google’s own privacy policies for Chrome.
Google needs to stop treating customer trust like it’s a renewable resource, because they’re screwing up badly.
I warn you that this will get a bit ranty. Please read on anyway.

Google’s stated rationale makes no sense
The new feature that triggers this auto-login behavior is called “Identity consistency between browser and cookie jar” (HN). After conversations with two separate Chrome developers on Twitter (who will remain nameless — mostly because I don’t want them to hate me), I was given the following rationale for the change:

To paraphrase this explanation: if you’re in a situation where you’ve already signed into Chrome and your friend shares your computer, then you can wind up accidentally having your friend’s Google cookies get uploaded into your account. This seems bad, and sure, we want to avoid that.

But note something critical about this scenario. In order for this problem to apply to you, you already have to be signed into Chrome. There is absolutely nothing in this problem description that seems to affect users who chose not to sign into the browser in the first place.

So if signed-in users are your problem, why would you make a change that forces unsigned–in users to become signed-in? I could waste a lot more ink wondering about the mismatch between the stated “problem” and the “fix”, but I won’t bother: because nobody on the public-facing side of the Chrome team has been able to offer an explanation that squares this circle.

And this matters, because “sync” or not…

The change has serious implications for privacy and trust
The Chrome team has offered a single defense of the change. They point out that just because your browser is “signed in” does not mean it’s uploading your data to Google’s servers. Specifically:

While Chrome will now log into your Google account without your consent (following a Gmail login), Chrome will not activate the “sync” feature that sends your data to Google. That requires an additional consent step. So in theory your data should remain local.

This is my paraphrase. But I think it’s fair to characterize the general stance of the Chrome developers I spoke with as: without this “sync” feature, there’s nothing wrong with the change they’ve made, and everything is just fine.

This is nuts, for several reasons.

User consent matters. For ten years I’ve been asked a single question by the Chrome browser: “Do you want to log in with your Google account?” And for ten years I’ve said no thanks. Chrome still asks me that question — it’s just that now it doesn’t honor my decision.

The Chrome developers want me to believe that this is fine, since (phew!) I’m still protected by one additional consent guardrail. The problem here is obvious:

If you didn’t respect my lack of consent on the biggest user-facing privacy option in Chrome (and  didn’t even notify me that you had stopped respecting it!) why should I trust any other consent option you give me? What stops you from changing your mind on that option in a few months, when we’ve all stopped paying attention?

The fact of the matter is that I’d never even heard of Chrome’s “sync” option — for the simple reason that up until September 2018, I had never logged into Chrome. Now I’m forced to learn these new terms, and hope that the Chrome team keeps promises to keep all of my data local as the barriers between “signed in” and “not signed in” are gradually eroded away.

The Chrome sync UI is a dark pattern. Now that I’m forced to log into Chrome, I’m faced with a brand new menu I’ve never seen before. It looks like this:

Does that big blue button indicate that I’m already synchronizing my data to Google? That’s scary! Wait, maybe it’s an invitation to synchronize! If so, what happens to my data if I click it by accident? (I won’t give it the answer away, you should go find out. Just make sure you don’t accidentally upload all your data in the process. It can happen quickly.)

In short, Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click. This is a dark pattern. Whether intentional or not, it has the effect of making it easy for people to activate sync without knowing it, or to think they’re already syncing and thus there’s no additional cost to increasing Google’s access to their data.

Don’t take my word for it. It even gives (former) Google people the creeps.

Big brother doesn’t need to actually watch you. We tell things to our web browsers that we wouldn’t tell our best friends. We do this with some vague understanding that yes, the Internet spies on us. But we also believe that this spying is weak and probabilistic. It’s not like someone’s standing over our shoulder checking our driver’s license with each click.

What happens if you take that belief away? There are numerous studies indicating that even the perception of surveillance can significantly greatly magnify the degree of self-censorship users force on themselves. Will user feel comfortable browsing for information on sensitive mental health conditions — if their real name and picture are always loaded into the corner of their browser? The Chrome development team says “yes”. I think they’re wrong.

For all we know, the new approach has privacy implications even if sync is off. The Chrome developers claim that with “sync” off, a Chrome has no privacy implications. This might be true. But when pressed on the actual details, nobody seems quite sure.

For example, if I have my browser logged out, then I log in and turn on “sync”, does all my past (logged-out) data get pushed to Google? What happens if I’m forced to be logged in, and then subsequently turn on “sync”? Nobody can quite tell me if the data uploaded in these conditions is the same. These differences could really matter.

The changes make hash of the Chrome privacy policy
The Chrome privacy policy is a remarkably simple document. Unlike most privacy policies, it was clearly written as a promise to Chrome’s users — rather than as the usual lawyer CYA. Functionally, it describes two browsing modes: “Basic browser mode” and “signed-in mode”. These modes have very different properties. Read for yourself:

In “basic browser mode”, your data is stored locally. In “signed-in” mode, your data gets shipped to Google’s servers. This is easy to understand. If you want privacy, don’t sign in. But what happens if your browser decides to switch you from one mode to the other, all on its own?

Technically, the privacy policy is still accurate. If you’re in basic browsing mode, your data is still stored locally. The problem is that you no longer get to decide which mode you’re in. This makes a mockery out of whatever intentions the original drafters had. Maybe Google will update the document to reflect the new “sync” distinction that the Chrome developers have shared with me. We’ll see.

Update: After I tweeted about my concerns, I received a DM on Sunday from two different Chrome developers, each telling me the good news: Google is updating their privacy policy to reflect the new operation of Chrome. I think that’s, um, good news. But I also can’t help but note that updating a privacy policy on a weekend is an awful lot of trouble to go to for a change that… apparently doesn’t even solve a problem for signed-out users.

Trust is not a renewable resource
For a company that sustains itself by collecting massive amounts of user data, Google has  managed to avoid the negative privacy connotations we associate with, say, Facebook. This isn’t because Google collects less data, it’s just that Google has consistently been more circumspect and responsible with it.

Where Facebook will routinely change privacy settings and apologize later, Google has upheld clear privacy policies that it doesn’t routinely change. Sure, when it collects, it collects gobs of data, but in the cases where Google explicitly makes user security and privacy promises — it tends to keep them. This seems to be changing.

Google’s reputation is hard-earned, and it can be easily lost. Changes like this burn a lot of trust with users. If the change is solving an absolutely critical problem for users , then maybe a loss of trust is worth it. I wish Google could convince me that was the case.

Conclusion
This post has gone on more than long enough, but before I finish I want to address two common counterarguments I’ve heard from people I generally respect in this area.

One argument is that Google already spies on you via cookies and its pervasive advertising network and partnerships, so what’s the big deal if they force your browser into a logged-in state? One individual I respect described the Chrome change as “making you wear two name tags instead of one”. I think this objection is silly both on moral grounds — just because you’re violating my privacy doesn’t make it ok to add a massive new violation — but also because it’s objectively silly. Google has spent millions of dollars adding additional tracking features to both Chrome and Android. They aren’t doing this for fun; they’re doing this because it clearly produces data they want.

The other counterargument (if you want to call it that) goes like this: I’m a n00b for using Google products at all, and of course they were always going to do this. The extreme version holds that I ought to be using lynx+Tor and DJB’s custom search engine, and if I’m not I pretty much deserve what’s coming to me.

I reject this argument. I think It’s entirely possible for a company like Google to make good, usable open source software that doesn’t massively violate user privacy. For ten years I believe Google Chrome did just this.

Why they’ve decided to change, I don’t know. It makes me sad.

https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/

....

This article, coupled with the above OP article addressing chrome's choice to disallow developer signatures means I'm leaving chrome and migrating to brave browser asap.

That said I would be interested to know what the de facto, industry standard, browser of choice is for crypto currency aficionados.

Google used to be somewhat trustworthy and reliable when their motto was "DONT BE EVIL". However in recent times, they have abandoned that in favor of being less moral and principled, which could hurt their business over the long run.

dothebeats
Legendary
*
Offline Offline

Activity: 1610
Merit: 1067

Ninja Member


View Profile
September 27, 2018, 11:16:00 AM
 #3

That's why I don't trust Google Chrome extensions or plugins too much, especially when I'm dealing with money on a machine that I use. I rarely use Chrome for browsing anymore since it's a memory hog and crashes too often, and sticking with stock Opera with no plugins seemed to be the best move so far. One will never know what nefarious things are these browsers and plugins are doing with your data in the background, so it's better to stay stock and avoid installing plugins as much as you can on a machine that you use for banking and other financial services.

This might sound counter intuitive but does anyone get a feeling MEGA.nz will gain a largely userbase from this incident than any negative affects felt as a result of bad publicity?

I don't think so. This will leave a negative impression on MEGA.nz for a while and users will just shrug it off in time as if nothing happened. No actual hacks were reported but still, trust issues would arise from the community.

jseverson
Hero Member
*****
Offline Offline

Activity: 756
Merit: 634


View Profile
September 27, 2018, 11:17:22 AM
 #4

Beyond Chrome, which is something people should be avoiding if they value their privacy anyway, this highlights the fact that browser plugins are yet another attack vector. If you can live without them, please do so. This goes beyond the operating system too, so people using Linux or Mac should be equally cautious despite their reputation for being more secure.

That said I would be interested to know what the de facto, industry standard, browser of choice is for crypto currency aficionados.

I personally use Firefox with Duckduckgo as my default search engine, but I don't know if there's any sort of standard. I wouldn't be surprised if a lot of people used Chrome. Some people use so much of Google's services that changing browsers probably wouldn't do much for them. Convenience over privacy yada yada.

Theb
Sr. Member
****
Offline Offline

Activity: 714
Merit: 321



View Profile
September 27, 2018, 11:34:12 AM
 #5

Could it be MEGA.nz is unaware that their chrome extension is somehow compromise and that the attackers have somehow integrated the malicious software without them knowing? Because I have a strong feeling that is the case since there is no news yet the the extension is compromised on their Firefox extension, and to know that this software only goes active on certain websites tells us that the malicious software wants to remain undetected in the system for a while.

FORTUNEJACK
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████
███████████████████████████
███████████████████████████
▀█████████████████████████▀
davis196
Hero Member
*****
Offline Offline

Activity: 994
Merit: 521


View Profile
September 27, 2018, 11:58:33 AM
 #6

I hate Chrome and I still wonder why it is the most popular browser in the world.Well,probably it's because Google owns it. Grin
I am a Firefox fan for years and I browse with a Sandboxed version to isolate any malicious code.
By the way,stealing Myetherwallet passwords doesn't work,because MEW users have to upload a JSON file,in order to login.

sister1001
Member
**
Offline Offline

Activity: 246
Merit: 33

Have a coin?


View Profile
September 27, 2018, 12:05:49 PM
 #7

Google was cool, google was fun and new and broke with the dominance of Explorer and Mozilla and the old crappy search engines like Yahoo and Altavista. And then it started to look like a nightmare of stolen and misused data. I just feel invaded.

These are my alternatives, I hope they are at least a bit less scary:

- Browser: Opera or Brave. Personally I like Brave better.
- Lately, Duck Duck Go for searches.

And I guess I could even end up using Linux, I just don´t think I am ready to make the jump ´cause the learning curve is steep and my time limited.

Dayx
Full Member
***
Offline Offline

Activity: 420
Merit: 106

Signature Designer & Indonesian Translator


View Profile WWW
September 27, 2018, 12:27:12 PM
 #8

this is why i always check my extension on Google Chrome even though i didn't install any plugin on my Chrome. I hate Chrome since it's way too heavy, it's eating my RAM!
but still, it's easier to use, though sometimes I still using Microsoft Edge
ndico
Jr. Member
*
Offline Offline

Activity: 224
Merit: 2

BRINGING MAGIC TO THE TELECOM INDUSTRY


View Profile
September 27, 2018, 12:36:18 PM
 #9

I heard about the hack and On a serious note since i discovered brave browser, I have since moved to using it in anything related to my logins and crypto currency dealings, though I like google chrome and firefox but brave is my first choice

△ M!R△CLE TELE (https://miracletele.com/) ▌  BRINGING MAGIC TO THE TELECOM INDUSTRY ▐
Kemarit
Legendary
*
Offline Offline

Activity: 1050
Merit: 1083


View Profile
September 27, 2018, 01:47:56 PM
 #10

Could it be MEGA.nz is unaware that their chrome extension is somehow compromise and that the attackers have somehow integrated the malicious software without them knowing? Because I have a strong feeling that is the case since there is no news yet the the extension is compromised on their Firefox extension, and to know that this software only goes active on certain websites tells us that the malicious software wants to remain undetected in the system for a while.

It could possibly that (1) someone from inside Mega install the malicious code or (2) their Webstore was breached and put the code so that when you download, it will automatically installed on your machine.

Yes, the Firefox extension was not affected.

Quote
MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.

https://chromeunboxed.com/news/mega-chrome-extension-hacked-monero-compromised-amazon-google-github

Hydrogen
Hero Member
*****
Offline Offline

Activity: 938
Merit: 677



View Profile
September 28, 2018, 04:07:08 AM
 #11

Could it be MEGA.nz is unaware that their chrome extension is somehow compromise and that the attackers have somehow integrated the malicious software without them knowing? Because I have a strong feeling that is the case since there is no news yet the the extension is compromised on their Firefox extension, and to know that this software only goes active on certain websites tells us that the malicious software wants to remain undetected in the system for a while.

The reason behind mega.nz chrome extensions being compromised while mega.nz firefox addons remained secure was covered in OP.

Quote
In a blog post published after our initial report, MEGA.nz also showed its dissatisfaction with Google's Chrome Web Store security measures, which, they believe, helped attackers pull off the extension hijack.

"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

STT
Legendary
*
Offline Offline

Activity: 1876
Merit: 1084



View Profile WWW
September 28, 2018, 05:28:29 AM
 #12

Could this be some move to discredit the Mega brand and its original owner who is due to face charges before United States courts for copyright infringement I think it is.    Previously they sent in multiple helicopters SWAT squad to combat a family residence for no apparent reason, so apparently anything is possible though Ive no idea for the personal motivation for these possible personal attacks.   Politics I guess, or it could just be a coincidence and either way it sounds a fair point on the signature system.

.FORTUNE.JACK.
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████

███████████████████████████
███████████████████████████
▀█████████████████████████▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 1638
Merit: 1075


The real one is http://bitcoin.ORG


View Profile WWW
September 28, 2018, 05:48:37 AM
 #13

Could this be some move to discredit the Mega brand and its original owner

Somebody had access to upload and update for the extension. So Mega team was clearly sloppy on this.

I wouldn't be surprised if a lot of people used Chrome. Some people use so much of Google's services that changing browsers probably wouldn't do much for them. Convenience over privacy yada yada.

Chrome was great when Firefox started to have issues (hanging, crashing...loong ago). For me Chrome almost always worked well, while Firefox was not that far from IE (monolith).
For me Chrome is super convenient for now (shared settings among multiple laptops, ad blocker); I use a small number of extensions, the same extensions for years and never had issues with them.

I may be too relaxed about their privacy breaches, and yes, I know, Google is the new Facebook when we discuss about user data, but on the other hand most of us already gave their soul to Google when started buying and using Android phones. I am not so scared yet about this, but I also know the things go into a bad direction, so, indeed, a new browser may be the solution for a not so far future. I'll look here for ideas Wink

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄            
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄      
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
▀▄            █        ▀▀      █  
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀    
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀              
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
eaglewhite80
Member
**
Offline Offline

Activity: 322
Merit: 30


View Profile
September 28, 2018, 01:10:58 PM
 #14

Could it be MEGA.nz is unaware that their chrome extension is somehow compromise and that the attackers have somehow integrated the malicious software without them knowing? Because I have a strong feeling that is the case since there is no news yet the the extension is compromised on their Firefox extension, and to know that this software only goes active on certain websites tells us that the malicious software wants to remain undetected in the system for a while.
Yeah, according to the reports online, they were hacked and they never knew about it but for me, I believe this would have just ended up being an insider thing, and even if was even outside attackers, that really showed there is a problem with chrome extensions security.

There is already news that the Firefox extension of MEGA.nz was not affected and in that case, I would say the whole thing balled down to chrome security as a whole. https://trybe.one/chrome-extension-caught-stealing-passwords-cryptocurrency-private-keys/

fullhdpixel
Hero Member
*****
Offline Offline

Activity: 798
Merit: 509

HEROIC.com|The Future of AI-Powered Cybersecurity


View Profile
September 29, 2018, 12:39:05 PM
 #15

That's why I don't trust Google Chrome extensions or plugins too much, especially when I'm dealing with money on a machine that I use. I rarely use Chrome for browsing anymore since it's a memory hog and crashes too often, and sticking with stock Opera with no plugins seemed to be the best move so far. One will never know what nefarious things are these browsers and plugins are doing with your data in the background, so it's better to stay stock and avoid installing plugins as much as you can on a machine that you use for banking and other financial services.

This might sound counter intuitive but does anyone get a feeling MEGA.nz will gain a largely userbase from this incident than any negative affects felt as a result of bad publicity?

I don't think so. This will leave a negative impression on MEGA.nz for a while and users will just shrug it off in time as if nothing happened. No actual hacks were reported but still, trust issues would arise from the community.
I have been hearing about this vulnerability for quite some time and that has really made me to lose interest in making use of Google chrome. Although some have claimed there are some malicious ones anyway but as long as that is happening and those malicious extensions are published on the chrome extension, then, that is a huge problem on its own.

At this stage, I have been a pure user of Opera as well for some months now, but one thing I have always noticed these days is that, data right now on the net, is something that can easily be taken if care is not taken, and if you really want to be out of such, it is only better to keep your safety belts on.

justspare
Hero Member
*****
Offline Offline

Activity: 784
Merit: 525


View Profile
September 30, 2018, 04:55:55 PM
 #16

Beyond Chrome, which is something people should be avoiding if they value their privacy anyway, this highlights the fact that browser plugins are yet another attack vector. If you can live without them, please do so. This goes beyond the operating system too, so people using Linux or Mac should be equally cautious despite their reputation for being more secure.
Privacy has always been one thing with chrome that has been lacking and for a lot of reasons I have decided to discard making use of chrome over the years.

I was even reading some recent stuff about the extension even stealing private keys and that is a whole lot even worse. This shows the level of vulnerability with the chrome extensions as a whole since cyber security experts already noted that the updated MEGA extension could grab sensitive data from crypto-related sites as well.

With respect to Firefox, I believe security wise, Firefox has been able to stand a better gap than chrome based on the fact that the Mega Firefox add-on was not affected in the breach that happened and it was only applicable to chrome. It is always better safe than sorry in my opinion.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!