A new security warning was issued after 57 Chrome extensions having a six-million-user userbase were found to have risky capabilities. This included accessing users' cookies for domains, executing scripts, and keeping tabs on users’ browsing activities.
The latest extensions are usually disguised, which means they won’t show up in the searches done on the Chrome Web Store. Similarly, they don’t get indexed by the search engine and could be installed if users had a direct URL.
In usual situations, extensions are private software and arise in the form of company tools or a simple add-on that is under development. Threat actors might use them to prevent detection while pushing them through the likes of advertisements and malware-filled pages.
These extensions were first seen by a Secure Annex researcher who noted that they had a suspicious nature, dubbed Fire Shield Extension Protection. This is mostly obfuscated and has callbacks to the API for sending data collected through a browser.
Thanks to domains like unknow.com, we see how it entails the extension. Some of them even featured similar domains that claim to add ad-blockers or privacy protectors. These will entail overly broad permissions that help in performing serious actions.
We are talking about monitoring user browser activity, altering search providers, and adding remote scripts on visited pages. Lastly, they activate the most advanced kind of tracking behavior.
While no extension was believed to have stolen sensitive details like cookies or passwords, they had some risky actions, including obfuscated codes and hidden logic. This is enough for any security researcher to call them out as spyware or a high-risk endeavor.
You might find some more obfuscated signals in other functions, like major command and control, to list the top online pages that were visited. The same goes for open/close tabs and others. Most of these weren’t validated, but seeing them in 35 extensions that claim to do simple services like protecting people from malicious extensions says so much.
Today, we saw 22 more extensions added to the list of high risk, so that brings the grand total to 57, and some of the new ones are accessible to the public. While most of them were deleted from the Web Store on Chrome after the news went viral, many more remain.
Some common ones to be mindful of include Cuponomia, Securify, Choose your Chrome Tools, Protecto for Chrome, and Fire Shield Extension Protection. There’s also Total Safety and Fire Shield Extension Protection on the list.
In case you might have any of those installed, it’s recommended that you delete them immediately and cautiously carry out actions like password resets for online pages. Google shared how they are aware of the recent report raising the alarm and would be investigating the issue related to extensions further.
The developers for these extensions are yet to break silence on the matter despite getting calls and messages with questions on the alarming issue.
Image: DIW-Aigen
Read next: Meta’s Recent Change in Approach to Political Content Sees 74% Rise in Referral Traffic
The latest extensions are usually disguised, which means they won’t show up in the searches done on the Chrome Web Store. Similarly, they don’t get indexed by the search engine and could be installed if users had a direct URL.
In usual situations, extensions are private software and arise in the form of company tools or a simple add-on that is under development. Threat actors might use them to prevent detection while pushing them through the likes of advertisements and malware-filled pages.
These extensions were first seen by a Secure Annex researcher who noted that they had a suspicious nature, dubbed Fire Shield Extension Protection. This is mostly obfuscated and has callbacks to the API for sending data collected through a browser.
Thanks to domains like unknow.com, we see how it entails the extension. Some of them even featured similar domains that claim to add ad-blockers or privacy protectors. These will entail overly broad permissions that help in performing serious actions.
We are talking about monitoring user browser activity, altering search providers, and adding remote scripts on visited pages. Lastly, they activate the most advanced kind of tracking behavior.
While no extension was believed to have stolen sensitive details like cookies or passwords, they had some risky actions, including obfuscated codes and hidden logic. This is enough for any security researcher to call them out as spyware or a high-risk endeavor.
You might find some more obfuscated signals in other functions, like major command and control, to list the top online pages that were visited. The same goes for open/close tabs and others. Most of these weren’t validated, but seeing them in 35 extensions that claim to do simple services like protecting people from malicious extensions says so much.
Today, we saw 22 more extensions added to the list of high risk, so that brings the grand total to 57, and some of the new ones are accessible to the public. While most of them were deleted from the Web Store on Chrome after the news went viral, many more remain.
Some common ones to be mindful of include Cuponomia, Securify, Choose your Chrome Tools, Protecto for Chrome, and Fire Shield Extension Protection. There’s also Total Safety and Fire Shield Extension Protection on the list.
In case you might have any of those installed, it’s recommended that you delete them immediately and cautiously carry out actions like password resets for online pages. Google shared how they are aware of the recent report raising the alarm and would be investigating the issue related to extensions further.
The developers for these extensions are yet to break silence on the matter despite getting calls and messages with questions on the alarming issue.
Image: DIW-Aigen
Read next: Meta’s Recent Change in Approach to Political Content Sees 74% Rise in Referral Traffic