If an extension goes rogue, everything you do in your browser is compromised

Login usernames, passwords, and cryptocurrency private keys snaffled up by malicious Mega.nz extension update.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

If an extension goes rogue, everything you do in your browser is compromised

As Chrome’s tenth birthday is celebrated, Google has released a new edition of the world’s most popular desktop browser. Chrome 69 has been rolled out with a strong password generator, rounder tabs, new icons, and other user interface changes.

It’s certainly been a successful ten years for the Chrome browser. In the late-1990s and early 2000s, most of us were using Netscape and then Internet Explorer on our desktop PCs. Today, it’s overwhelmingly Chrome.

But whatever browser you choose to run, chances are that it’s not just the browser. You’re also very likely to be running third-party extensions and plugins to boost the browser’s abilities, tweak its behaviour, and enhance your online security.

Chrome extension menu

What many people don’t realise is that these extensions can themselves present a security risk, and – when you look into it – it’s pretty terrifying just how much a browser extension can do.

An ad blocker, for instance, can read and change all your data on the websites that you visit. It *has* to be able to have that ability to let it block website ads. When you install a browser extension, you’re placing a lot of trust in it never turning evil.

Sign up to our free newsletter.
Security news, advice, and tips.

One popular service which has its own Chrome browser extension is Mega.nz – the cloud-based file-sharing service founded by the shadowy larger-than-life figure of Kim Dotcom (he severed all ties with Mega three years ago.)

This week, as ZDNet reports, the official Chrome browser extension for Mega.nz was compromised with a malicious update.

User of the extension received an automatic update which requested more permissions, including the ability to “read and change all your data on the websites that you visit.” In all likelihood many users simply clicked through the warning.

Amazon signin That, of course, was a big mistake.

The malicious edition of the Mega.nz extension started stealing login usernames, passwords, and cryptocurrency private keys from Chrome users – stealing information from surfers as they used sites such as Amazon, Google, Microsoft, GitHub, MyEtherWallet, MyMonero, and the cryptocurrency trading platform IDEX.

And to where was the sensitive data being siphoned? A Ukrainian server.

The suspicion has to be that Mega.nz’s account in the Chrome web store was somehow hacked. Was phishing to blame? A weak password? A reused password? A hack at Mega.nz? We just don’t know, and for now no-one’s saying.

The malicious version of the Mega.nz extension was available for Chrome users for some hours, and users who were updated during that time may have had credentials and private keys stolen from them. Mega.nz says it has now been removed, and is at pains to point out that the Firefox version of the extension is not affected.

Mega extensions

Mega.nz, it seems, is placing some of the blame at Google itself – claiming that the security measures in place for extensions in the Chrome web store are weaker than those for, say, Firefox:

We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

If you run the Mega.nz Chrome extension, change the passwords for all online accounts you may have logged into while the trojanized version was active. Make sure the new passwords are unique, and hard to crack.

To hear more discussion about this issue, be sure to check out the “Smashing Security” podcast:

Smashing Security #094: 'Rogue browser extensions, Twitter presence, and how to cheat in exams'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Some takeaways:

  • Browser extensions – even the ones that are supposed to be keeping you safe – have an enormous amount of power. If an extension goes rogue, everything you do in your browser is now compromised.
  • In the past we’ve even seen the ownership of browser extensions change. It may be the case that you are now dealing with a completely different developer, and they may have malicious intentions.
  • Always be wary when browser extensions ask for elevated permissions.
  • Keeping the number of extensions you run in your browser to a minimum reduces your threat surface.
  • And if you are an extension developer, you have enormous responsibility to secure your code and developer account so others cannot easily take advantage.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “If an extension goes rogue, everything you do in your browser is compromised”

  1. chris

    There needs to be some sort of repository for extensions and permissions or alerts in when ownership of an add-on changes for the exact reasons you mention. Or some kind of "certification" for open-source code verifying that the code is not doing anything malicious

  2. OICU

    It has always concerned me about what if Adblock, Adblock Plus and uBlock Origin were compromised. That would be a lot of browsers affected.

    It's possible to avoid using browser extensions, but getting rid of the last one—the adblocker—is a problem because browsing without one is also an issue. Hosts files are too clunky. It was better when adblockers was build directly into the browser rather than extensions (such as 'Tracking Protection Lists' in Internet Explorer 9 onwards), and the user then just subscribed to the lists they wished to use (such as EasyList, etc.) or used their own lists.

    1. Tom · in reply to OICU

      Opera has built in adblocker with lists, also chrome has some sort of built in adblocker these days.

Leave a Reply to OICU Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.