Malicious Chrome Extensions: A Coordinated Threat to User Security and Privacy
The recent discovery of over 100 malicious Chrome extensions in the Chrome Web Store has raised serious concerns about the security and privacy of Chrome users. These extensions, part of a coordinated campaign, have been designed to steal sensitive information, deploy backdoors, and carry out ad fraud. The fact that all affected extensions were still available in the store at the time of the report highlights the urgency of the situation.
The extensions, published under five different publisher profiles, have been categorized into various types, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and browser utilities. The campaign's central backend, hosted on a Contabo VPS, supports multiple subdomains that handle session hijacking, identity collection, command execution, and monetization.
One of the most concerning aspects of these extensions is their ability to inject attacker-controlled HTML into the browser interface using the innerHTML property. This allows the attackers to manipulate the user's browsing experience, potentially leading to further security breaches.
Another group of extensions uses the chrome.identity.getAuthToken API to gather sensitive information such as the victim's email address, name, profile picture, Google account ID, and Google OAuth2 Bearer token. These tokens are short-lived access credentials that enable applications to access a user's data or act on their behalf without requiring a password. The theft of these tokens can lead to significant security breaches and identity theft.
A third set of extensions includes a hidden function that runs on browser startup, contacts the command-and-control server, and opens arbitrary URLs without any user interaction. One extension, in particular, has been identified as particularly severe, as it steals Telegram Web session data every 15 seconds, extracting localStorage content and session tokens and sending them to the attacker's server. This extension also accepts inbound commands that overwrite the victim's localStorage with attacker-supplied session information and force a reload of Telegram Web, effectively swapping the victim's account without their knowledge.
The implications of these malicious extensions are far-reaching. The theft of sensitive information and the deployment of backdoors can lead to significant security breaches and identity theft. The ad fraud carried out by these extensions can also have a significant financial impact on users and businesses.
To protect themselves from these malicious extensions, Chrome users should take the following steps: First, they should compare the list of affected extensions provided by Socket with their installed Chrome extensions and uninstall any matches right away. They can do this by going to chrome://extensions in the address bar. Second, users should be vigilant about the types of extensions they install and only download extensions from trusted sources. Finally, users should regularly update their Chrome browser and extensions to ensure that they have the latest security patches and fixes.
In conclusion, the discovery of these malicious Chrome extensions highlights the ongoing threat to user security and privacy. It is crucial for users to take proactive steps to protect themselves from these threats. By being vigilant and taking the necessary precautions, users can help to safeguard their sensitive information and prevent further security breaches.
