Malicious Chrome Extensions Lets Hackers Steal Your Data
By Arham Jain
Millions of users have had their data stolen by a few chrome extensions. Google recently removed around 500 extensions from chrome webstore which were tagged as “Malicious” and were stealing users browsing data.
Chrome sync feature
One of the most recent such extensions was the chrome sync, it abused the chrome sync feature by threat actors to harvest information from compromised computers using maliciously-crafted Chrome browser extensions.
Chrome sync helps store copies of a user’s Chrome bookmarks, passwords, browsing history and browser and extension settings on Google’s cloud servers.
Hackers can use this feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.
How does the hacker bypasses the web store security checks?
While google keeps removing hundreds of such extensions each year this one was a bit different because of the way it was designed and deployed.
The attacker’s malicious extension was camouflaged as the Forcepoint Endpoint Chrome Extension for Windows and side loaded directly from Chrome after enabling Developer mode.
Once sideloaded, the extension dropped a background script designed to see for oauth_token keys in Chrome’s storage which would then get automatically synced to the user’s Google cloud storage.
To get access to the synced sensitive information, the threat actor would only have to log into the same Google account on another system running the Chrome browser since third-party Chromium-based browsers are not allowed to use the private Google Chrome Sync API. While there are some limitations on size of data and amount of requests, this is actually perfect for C&C commands, or for stealing small, but sensitive data – such as authentication tokens.
Why do hackers create these extensions?
Some security developers believe that these extensions were created to hijack users’ traffic for financial gain. Hackers would sell the data to third parties and receive payments in return.
Threat intelligence teams started observing these threats back in november last year, they believe the extensions could have been up and running for years by checking the web store reviews. The most terrifying part is that a few of these extensions could still be downloaded from the web store and the user wouldn’t even notice anything suspicious.
Extensions have been a weak link in chrome for a while now. Its really difficult to control and manage these extensions where there is so much traffic of new extension uploads and downloads by millions of users. Google can’t keep track of all the third parties involved in the development of the extensions.
Still there is no doubt that these issues are going to persist a little longer than we would like them to. Google is working on finding a creative and best solution for this problem to finish this issue once and for all. The easiest way to keep ourselves safe from suck extensions is to not use any extension at all, but that will make users miss on a lot of good extensions which actually works without stealing data.