Users are recommended to reset their passwords on the affected sites like Amazon and Microsoft. The firm’s mobile apps, hosted by Apple, Google, and Microsoft, are cryptographically signed to make them immune to such attacks.Īlthough Google engineers have since intervened and replaced the extension users still need to check their browsers and ensure the extension isn’t installed anymore. The Firefox version is still available online, however, the Chrome extension has been taken down. The company has also said that MEGAsync and its Firefox extension did not suffer the vector attack because they (MEGA.nz) signs and hosts the extension source code. “ removes an important barrier to external compromise.”
MEGASYNC GOOGLE CHROME CODE
It has meant that the internet giant relied on automatic signatures after the code has already been uploaded to the Chrome web store. It states that it was wrong for Google to remove the need for publisher signatures on its Chrome extensions. In a blog post, MEGA.nz says that Chrome’s approach contributed directly to the extension hijack. The platform has also indicated that it is dissatisfied with Chrome Web Store’s approach to the issue of security. “We are currently investigating the exact nature of the compromise of our Chrome webstore account.” MEGA.nz extended their apologies to its users, saying that investigations were ongoing to establish exactly how the breach ended up compromising their account. It also affected IDEX, a cryptocurrency exchange, and trading platform. The attack was capable of extracting the keys and would then be able to access user funds on these sites. In addition, the compromised extension was capable of detecting and capturing private key information for web-based wallets MyEtherWallet and MyMonero. An analysis of its source code revealed that it captured the usernames and passwords on popular websites including Google, Amazon, Microsoft, and GitHub.
MEGASYNC GOOGLE CHROME UPDATE
The Chrome extension update showed malicious behavior just hours after release. The extension, released yesterday as version 3.39.4, apparently contained malicious code that had the capacity to steal usernames, passwords, and even private keys for popular cryptocurrencies Ethereum and Monero, ZDNet reports. Google engineers have had to remove a Chrome extension to the popular file-sharing service MEGA.nz that could have stolen Ethereum and Monero accounts private keys.
0 kommentar(er)
