The Chrome Web Store is how users of Google's browser add extensions for things like password managers, price matchers, and foreign language translations. A few are available outside of the store, but Google is working on make it mandatory for all future add-on installations.
This should go a long way toward helping Google police add-ons for bad behavior, but as cloud storage company MEGA learned just recently, the store is only as good as the security that an extension developer uses to protect its Google account.
TorrentFreak reports that an unauthorized person gained access to MEGA's Google account and uploaded a fake version of its browser add-on. This fake version was designed to steal your login info for Amazon, Github, and other sites and send the data to an IP addresses located in Ukraine.
MEGA starkly warned its users, "Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications."
The rogue version of its extension was only in place for a few hours, thankfully, but the extent of the stolen data has yet to be fully uncovered.
FOLLOW Download.com on Twitter for all the latest app news.
MEGA points out that its mobile apps, plus its add-on for the rival Firefox web browser, were unaffected. This is because those versions must have an authentication signature from the developer to prove that they are coming from the correct source. However, the Chrome Web Store purportedly authenticates addons automatically when they are uploaded.
If you were using the rogue version of the MEGA browser add-on, any website you logged into during that four-hour window was transmitting your username and password to the server in Ukraine, so you'll need to change those passwords as soon as you can.
Any add-on that automatically logs you into a service probably also needs to have its password changed, because the rogue MEGA add-on could query them for login credentials.
Hopefully, Google will review its policies for browser add-on authentication, and take a look at how much information one add-on can communicate to another that's also installed.
- The MEGA browser add-on for Google Chrome was replaced by a rogue version on the Chrome Web Store for four hours yesterday. This rogue version was designed to spy on users and steal passwords for any website they visited.
- If you used this add-on during that time frame, and you had other browser add-ons that automatically log you into a particular website, those login are probably also compromised. Users are advised to change their password for all affected website accounts.
- How to beef up your Chrome and Firefox security in 2018
- Mozilla removes nearly two dozen browser add-ons from Firefox for spying on users
- Stylish plug-in yanked from Chrome and Firefox for logging users' browser history
- Google Chrome's biggest challenge at age 10 might just be its own success (CNET)
- Google investigating issue with blurry fonts on new Chrome 69 (ZDNet)
- Here's why Google is killing off inline installation for Chrome extensions (TechRepublic)