These extensions were already stealing from millions of Chrome users.
Recently, it has been found out that over 500 Google Chrome extensions were collecting user data and using it for malicious purposes.
Investigated by an independent security researcher named Jamila Kaya and Duo Security; they initially discovered 71 such extensions with 1.7 million installations but then went on to discover an additional 430 after privately notifying Google’s team.
All of these extensions were hiding their real motive of advertising and exfiltrating user data through various techniques. These included requesting permissions that they did not need from users such as access to the user’s clipboard & cookies stored locally.
See: Clones of popular Adblockers caught ad frauding millions of Chrome users
In this way, they were able to obtain critical info and then share it back to themselves by connecting the user’s browser to their C2 server. Using this established connection, the extensions would also receive further commands, updated lists of malicious ads and other domains the user should be redirected to along with the locations where the user data should be continued to be uploaded to.
Furthermore, users would also be redirected to different domains which sometimes were legitimate but often they were also malicious ones where malware could be downloaded or users could be lured in for phishing.
Kaya has stated that this uncovering came about on one of her normal threat hunting operations as a researcher. Their success though can be greatly attributed to CRXcavator, a tool developed by Duo that can be used to assess the security of Chrome extensions and thereby helped them in tracking down this “entire network.” Elaborating on the larger picture of how such attacks are possible, their official report states,
A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. This technique, called “malvertising” has become an increasingly common infection vector in Jamila’s experience, and is still hard to detect today, despite being prominent for years.
Furthermore commenting on how such a large number of extensions despite being highly similar evaded Chrome’s detection mechanisms, the researchers said that,
…the source code of the plugins are nearly identical to each other. The only substantial differences in the source code are the names of the functions. With a much larger number than similar plugins and services, it’s likely that a single change of all the function names reduces the similarity to other plugins enough to avoid detection mechanisms.
However, what’s alarming is that these attackers are believed to be operating since January 2019 and so it is highly likely that they inflicted a reasonable amount of damage to users. To add to this, some domains associated with their operations were also found to be registered from earlier in 2017 and 2018 taking out possible timelines even back. This indicates how such schemes can go on unnoticed for large periods of time despite there being significant checks and balances in place.
On the other hand, though, we’ve seen Google also tackle such changing circumstances by implementing new security policies requiring greater compliance on behalf of developers. Other browsers should also learn from this and remain updated. At the time of publishing this article, all malicious Chrome extensions were removed by Google.
For users, they currently can review the extensions they’ve installed and removed any unnecessary ones. For those that are even necessary, it is vital that you check the permissions you’ve granted to them in order to prevent any unneeded access. You can read more about Google’s security precautions for those using exertions through its Chrome web store.