Jump to content

Chrome extensions compromised leading to the Mega.nz app stealing passwords

Cesario

By Cesario
in Tech Center

 Share

Recommended Posts

Koby Order of Ambrosia

Koby

Posted
Posted

"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

 

GG Google, you opened up the ability for this to happen... topkek.

 

td;lr of this article is: stick with FireFox where extensions are more secure.

 

@Moodkiller

Link to comment
Share on other sites
Koby Order of Ambrosia

Koby

Posted
Posted
29 minutes ago, RyanEsau said:

I guess this is just a thing to watch out for now...

 

CCleaner and now a Chrome Extension. Hackers getting into the respective servers and replacing the release with a malicious one...

 

Fortunately, I don't use the extension, I always use the site or megatools on my seedbox.

Thing is, this isn't a MEGA issue. This is a security issue with Chrome, one that Google created knowingly as I quoted above. Essentially absolutely every extension under Chrome could fall for attack vector.

 

Just one more thing in a long list of reasons why FireFox is and has always been the superior option.

  • Like 2
Link to comment
Share on other sites
KiyoshiStar Vanguard

KiyoshiStar

Posted
Posted
1 hour ago, Koby said:

Thing is, this isn't a MEGA issue. This is a security issue with Chrome, one that Google created knowingly as I quoted above. Essentially absolutely every extension under Chrome could fall for attack vector.

 

Just one more thing in a long list of reasons why FireFox is and has always been the superior option.

 

Didn't mean to imply it as a MEGA issue. I just was pointing out that this seems to be a thing to watch out for now -- hackers getting their grubby hands into servers and replacing a release with one with some keylogger or whatever added into it. So then anyone that updates gets affected and is vulnerable until the company (or host in this case, Google) catches and resolves it.

Link to comment
Share on other sites
Ka44tsUU Hedge Knight

Ka44tsUU

Posted
Posted
5 hours ago, Koby said:

Thing is, this isn't a MEGA issue. This is a security issue with Chrome, one that Google created knowingly as I quoted above. Essentially absolutely every extension under Chrome could fall for attack vector.

 

Just one more thing in a long list of reasons why FireFox is and has always been the superior option.

On an unrelated note, as much as I always would love to advocate for the free-er and thus superior option, I wonder how long Firefox will really last under the helm of Mozilla. They use proprietary blobs in Quantum which makes it difficult to remove and revise in forked browsers (or some just outright refusing to adopt Quantum due to the adoption of Rust and the complexity of said implementation), they force install addons without consent which so far have been alarming in nature whereas not even Chrome would dare attempt to do, and they explore new ideas every month to implement history tracking, feed recommendations and even OS-side snooping for advertisements (thankfully most ideas were shutdown) and lastly (not Mozilla's fault) Google services not working correctly or slower on Quantum, but that's expected from competition and scummy. 

I'm personally waiting for Brave to release to 1.0 next year and will move from Firefox for good. It's the best of both worlds with a monitored addon store, privacy-centric first, completely de-Googled Chromium and you can even support your favourite sites and content creators with BAT if you wish to. Until then, I seriously hope Mozilla doesn't go and pull a wild 360 for the better of everyone ☺️

Link to comment
Share on other sites
  • 1 month later...
mcmxcixmm Ward of Justice

mcmxcixmm

Posted
Posted (edited)

@Cesario @Koby The topic title heavily implies MEGA is somehow directly involved. I would strongly suggest changing it - just because ZDNet writes it doesn't mean we should here.

On 9/12/2018 at 10:13 AM, Ka44tsUU said:

On an unrelated note, as much as I always would love to advocate for the free-er and thus superior option, I wonder how long Firefox will really last under the helm of Mozilla. They use proprietary blobs in Quantum which makes it difficult to remove and revise in forked browsers (or some just outright refusing to adopt Quantum due to the adoption of Rust and the complexity of said implementation), they force install addons without consent which so far have been alarming in nature whereas not even Chrome would dare attempt to do, and they explore new ideas every month to implement history tracking, feed recommendations and even OS-side snooping for advertisements (thankfully most ideas were shutdown) and lastly (not Mozilla's fault) Google services not working correctly or slower on Quantum, but that's expected from competition and scummy. 

I'm personally waiting for Brave to release to 1.0 next year and will move from Firefox for good. It's the best of both worlds with a monitored addon store, privacy-centric first, completely de-Googled Chromium and you can even support your favourite sites and content creators with BAT if you wish to. Until then, I seriously hope Mozilla doesn't go and pull a wild 360 for the better of everyone ☺️

Please stop reading and spreading awful anti-Firefox propaganda. It is essentially pro-Chrome brainwashing at this point because even if you don't use Chrome it is the only real alternative for the general public.

 

Firefox was virtually unusable pre-Quantum because it had fallen so far behind the competition - whatever Quantum's minor technical faults, it leapfrogged every other browser with version 57, and hasn't looked back. Even with the Google services issue, it's often still faster on those sites than Chrome because it's faster overall!

 

As for the privacy silliness - sure Mozilla has done a few questionable things, but the problem is that Firefox is incredibly dependent on Google for revenue which is very obviously a bad thing. So Mozilla does look for other revenue opportunities, while trying to ensure that users always have the opportunity to disable and/or opt out of any such "features" (sometimes opt in depending on severity).

 

Complaining about when Mozilla goes too far is absolutely valid, but the vast majority of these complaints imply that there are better alternatives, when all of them - including the Firefox forks - are much worse for a variety of reasons. (You may want to read up on Brave before you make a mistake switching browsers, by the way.)

Edited by mcmxcixmm
Link to comment
Share on other sites
Ka44tsUU Hedge Knight

Ka44tsUU

Posted
Posted (edited)

@mcmxcixmm I never implied 'anti-Firefox propaganda' (lmfao) in this post, I am anti-Mozilla for sure, as you already know who takes rather large donations and subsidiaries from Google and friends whom would like to spread an ideology in the years to come, as do many organisations of this stature. I run and will continue to use GNU Icecat Quantum for the years to come because I feel it's the best open source has to offer that provides total freedom for its users. As of today, Brave has finally released a beta build of the degoogled-chromium browser but I'm not feeling it yet really, and as more pressing days pass, it seems less and less relevant as a bastion of freedom and more monetary gain as always, so I do concede with your sentiment and retract my statement about it. This still doesn't mean that Mozilla isn't halting from beginning to turn to a darker leaf and I seriously hope they don't, for the better of everyone.

 

22/10/2018 EDIT: 
Oh no, Mozilla just partnered up with ProtonVPN to provide their services easily within the system 😥

Edited by Ka44tsUU
News
Link to comment
Share on other sites
  • Koby changed the title to Chrome extensions compromised leading to the Mega.nz app stealing passwords
  • 3 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Referrals: gamebillet, GamersGate, Humble, Play-Asia, Voidu
×
×
  • Create New...
Please Sign In or Sign Up