Chrome is the most popular web browser in the world, and one of the reasons it is so widely used is due to the availability of third-party extensions that add features and functionality. Like most people, I use extensions every day (though I prefer Brave over Chrome for a range of privacy-related reasons). For example, I have extensions for Grammarly, Evernote, HubSpot, Moz, Crowdtangle, and OneTab active right now.
And that's nothing compared to the almost 200,000 extensions available in the Chrome Store. In fact, it's the prevalence of those extensions that has long made them a target for bad actors. It's far too easy for malicious code to find its way into seemingly benign extensions without users ever really knowing.
That's exactly what was revealed last week, and it affects over 1.7 million users. In a joint effort, Cisco's Duo Security, along with researcher Jamila Kaya, released a report detailing some 500 fraudulent Chrome extensions that exist only to capture user information.
The report details Chrome extensions that appear to be "operating in a manner that initially seemed legitimate. Upon further investigation, they were found to infect users' browsers and exfiltrate data as part of a larger campaign."
More specifically, according to the report, Kaya discovered that:
The Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store's fraud detection mechanisms.
That presents an interesting challenge since the extensions appear at first to be perfectly legitimate but which put your--or your company's--information at risk.
While the report names the extensions identified as malicious, the researchers shared their information with Google and the company has removed over 500 extensions from the Chrome Store. And, as always when exploits like these are found, Google automatically deactivates them within a user's browser to prevent further risk. If you happened to be using one, don't reactivate it.
This is probably a good time for a reminder that we should all practice good browser hygiene, especially as attackers get more sophisticated at getting of our personal information. Don't install extensions unless they're from a reputable source, and even then, pay attention to exactly what permissions the extension requires. If you aren't comfortable with giving it access to your browser or aren't sure what exactly what it does, it's probably better not to install it at all.