The Chrome Web Store presently has removed Chrome extension and the service, which was launched by Kim Dotcom in 2013 after the demise of MegaUpload.
According to the information from security researchers, the Google Chrome extension for the popular file upload and sharing service MEGA has been compromised by hackers looking to steal login credentials and cryptocurrency keys.
SerHack was the first researcher to sound the alarm, warning in a tweet on September 4 that version 3.39.4 of the extension was hacked, and potentially harvesting user information including usernames and passwords from a number of platforms including Amazon, Github, Google, and Microsoft.
MEGA blamed Google for removing their ability to sign extensions, making it easier for such incidents to take place.
An excerpt from the statement reads:
“We would like to apologize for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome Webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”