500+ Google Chrome Extensions Stealing Your Data for Years

We love browser extensions. But some of them don’t respect us in the morning.

Security researchers just found a huge cache of malicious Chrome extensions, infecting millions of browsers. So Google swiped left on all of them.

AWS Builder Community Hub

Roses are red, violets are blue. In today’s SB Blogwatch, we’re concerned about you.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hacking dating apps.


What’s the craic, Catalin Cimpanu? “Google removes 500+ malicious Chrome extensions”:

 The removed extensions operated by injecting malicious ads (malvertising) inside users’ browsing sessions. … The destination would be an affiliate link [or] something malicious, such as a malware download site or a phishing page.

The extensions were part of a larger malware operation that’s been active for at least two years. The research team also believes the group who orchestrated this operation might have been active since the early 2010s.

Networks of malicious Chrome extensions have been unearthed in the past. [But] what stood out about this scheme was the use of “redirects” that often hijacked users away from their intended web destinations in a very noisy and abrasive manner that was hard to ignore.

Google [has] banned the extensions from the official Web Store. It also deactivated them inside every user’s browser … marking the extension as “malicious” so users would know to remove it and not reactivate it.

And Dan Goodin adds, “500 Chrome extensions secretly uploaded private data from millions of users”:

 Researchers … identified 71 Chrome Web Store extensions that had more than 1.7 million installations. After the researchers privately reported their findings to Google, the company identified more than 430 additional extensions. … Google thanked the researchers for reporting their findings.

This latest discovery comes seven months after a different … researcher documented browser extensions that lifted browsing histories from more than 4 million infected machines. While the vast majority of installations affected Chrome users, some Firefox users also got swept up.

The discovery of more … is a reminder that people should be cautious when installing these tools and use them only when they provide true benefit. … People should regularly check for extensions they don’t recognize or haven’t used recently and remove them.

Who discovered it? Jamila Kaya, with help from Duo’s Jacob Rickerd—“Browser Extension Fraud Network Affecting Millions of Users”:

 Jamila Kaya (@bumblebreaches) [uncovered] a large scale campaign of copycat Chrome extensions that infected users and exfiltrated data through malvertising while attempting to evade fraud detection. … We were able to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.

Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemas. [It] is still hard to detect today, despite being prominent for years … acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing … monitoring & exploitation … and defraudment.

Here, the Chrome extension creators had specifically made extensions that … exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit … and attempt to evade the Chrome Web Store’s fraud detection mechanisms. … Some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site. … Users are exposed to additional risk of infection or phishing through these redirects.

So let’s all switch to Firefox? This Anonymous Coward opines otherwise:

 Firefox, Waterfox, Palemoon, are much much worse than Chrome and all of the rest are much more of a ****show as far as insecure extensions and massive bugs in the core. Firefox has generated far more critical security bugs in the browser itself, almost every week, than Google Chrome. … Chrome is a more secure browser and always has been far ahead of Firefox on security such as sandboxing.

Extensions are basically a bad concept. … Anyone who is allowed to publish an extension should have to personally identify themselves to the browser security team and should have to undergo a criminal background check.

Ah, but what about unintended consequences of tighter vetting?—Graham Cluley is positively false: [You’re fired—Ed.]

 I recommend password managers. I think for the vast majority of people they are a very good idea.

But things get a little tricky if you’re an established password manager vendor, and people can’t install your software. That’s the challenge facing Dashlane right now.

You can’t … find Dashlane’s browser extension in either the Chrome web store or Firefox add-ons library. … Dashlane’s senior engineering manager Thomas Guillory [says] it was Google which removed the extension citing a data privacy concern.

Edumacate me: “browser extensions”? oldskull sounds worried:

 These days browser extensions are nothing but [JavaScript] programs embedded into the browser itself. And the sad truth is that there isn’t much one can do if they want to browse the web securely.

For [it] to work, it has to have access to everything. Everything that I do in terms of browsing.

And that’s the thing. Who do you trust?

And Troy Hunt hopes everyone’s paying attention:

 Everyone understands just how much information browser extensions have access to, right?

So rtb61 asks the pointed questions:

 At which point should Google be liable for distributing this stuff? … Eventually they are going to have to be held criminally liable for failing to properly vet the stuff they distribute.

Think back just 25 years, no shop would get away with selling hundreds of bad products and just point at the manufacturer and say, their fault. … Caveat emptor, sucker.

Meanwhile, LosAngelesPandas snarks it up a notch:

 Google would consider this a feature if this data was being sent to them.

And Finally:

Hacking the Dating App Algorithm

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Christiaan Colen (cc:by-sa)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 513 posts and counting.See all posts by richi