Cybersecurity researchers have uncovered a new group of dangerous extensions in the official Chrome Web Store. Their cumulative number of installations exceeded 100,000, and these programs are capable of stealing users' confidential data, including passwords and financial information.
Specialists from Symantec analyzed the threat mechanisms and discovered a number of hidden methods of operation. The malicious extensions carry out:
- Unauthorized access to the clipboard
- Interception of search queries
- Remote code execution
- Theft of session data
Notably, despite Google's existing review procedures, these programs made it into the official store and remained available for download for an extended period. This situation highlights the persistent vulnerabilities in the browser extension verification system, even with the implementation of neural network algorithms for additional checks.
Among the identified threats, several specific extensions drew particular attention:
Good Tab uses an insecure HTTP iframe, granting a remote domain read and write access to the user's clipboard. This vulnerability allows attackers not only to steal passwords but also to replace cryptocurrency wallet addresses at the moment of transaction.
Children Protection (removed from the store at the time of discovery) functioned as a full-fledged management and control system. The extension used a domain generation algorithm for resilience against server blocks, collected browser cookies to hijack sessions, and executed arbitrary JavaScript code from a remote server.
DPS Websafe (also removed) masqueraded as the popular ad blocker Adblock Plus, using its icon to mislead users. The program tracked browser activity and redirected search queries.
Stock Informer is still available in the Chrome Web Store. The extension contains a critical cross-site scripting (XSS) vulnerability: due to the lack of message source validation, attackers can execute arbitrary code.
This incident is not the first time malicious extensions have passed Google's moderation and entered the official store. It once again brings to the forefront the issue of the reliability of browser add-on verification mechanisms and the need to strengthen security measures to protect users.