Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chrome Extension. Show all posts
User Privacy
Chrome Extension Cyber Security Data Surveillance FreeVPN User Privacy

FreeVPN.One Extension Turns from Privacy Tool to Surveillance Threat

 

Security researchers at Koi Security have discovered troubling behavior from FreeVPN.One, a popular Chrome VPN extension with over 100,000 installations that has begun secretly capturing and transmitting users' screenshots to remote servers. 

Threat discovery 

The extension, which had maintained legitimate functionality for years, recently shifted its behavior in July 2025 to silently capture screenshots approximately one second after each page load. These screenshots are then transmitted to external servers—initially unencrypted, but later obfuscated with encryption after updates. The malicious behavior was introduced gradually through smaller updates that first requested additional permissions to access all websites and inject custom scripts. 

Developer's response

When confronted, FreeVPN.One's developer claimed the extension "is fully compliant with Chrome Web Store policies" and that screenshot functionality is disclosed in their privacy policy. The developer provided various justifications, including that screenshots only trigger "if a domain appears suspicious" as part of "background scanning". 

However, Koi researchers refuted this, providing evidence of activation on trusted domains including Google's own sites. The developer also claimed screenshots are "not being stored or used" but "only analyzed briefly for potential threats"—a distinction researchers found unconvincing. 

Chrome web store failures

This incident highlights significant security gaps in Google's Chrome Web Store review process. Despite Google's claims of performing security checks through automated scans, human reviews, and monitoring for malicious behavior changes, FreeVPN.One managed to maintain its verified status and featured placement while conducting these activities. 

The extension appears to have exploited a patient approach—operating legitimately for years before introducing malicious functionality, effectively bypassing security measures. While the product overview mentions "advanced AI Threat Detection" with "passive mode" monitoring, it fails to clearly state that "scanning them visually" means sending screenshots to remote servers without notification or opt-out options. 

Current status

As of the article's publication, Google had not responded to inquiries about investigating the extension or removing it from the Chrome Web Store. The FreeVPN.One extension remained active and available for download despite the security findings, raising concerns about user protection in browser marketplaces. This case demonstrates how privacy-branded extensions can become surveillance tools, exploiting user trust while bypassing platform security measures.
Read more »
Polymorphic Attack
Chrome Extension Cyber Attacks Data Safety Malicious Campaign Polymorphic Attack

Malicious Chrome Extensions Spoof Password Managers in Novel Polymorphic Attack

 

Cybersecurity experts have uncovered a novel technique for a malicious web browser extension to spoof any installed add-on.

"The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension," SquareX noted in a report published earlier this month. 

The attack targets all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. The strategy relies on the fact that users frequently pin extensions to the browser's toolbar. In a hypothetical attack scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any extension marketplace) and pass it off as a utility. 

The attackers could then use the harvested credentials to take over online accounts and steal sensitive financial and personal data without authorisation. While the add-on provides the claimed functionality without raising any suspicions, it activates the malicious features in the background by actively scanning for the presence of online resources associated with particular target extensions using a technique known as web resource hitting. 

Once a suitable target extension has been located, the attack proceeds to the next stage, when it morphs into a duplicate of the legitimate extension. This is performed by modifying the rogue extension's icon to match that of the target and temporarily disabling the actual add-on using the "chrome.management" API, resulting in its removal from the toolbar. 

"The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation," SquareX added. "In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with.” 

The findings follow a month after the company revealed Browser Syncjacking, another attack technique that allows a seemingly harmless browser extension to take over a victim's device.
Read more »
Security Breach
browser hijacking Chrome Extension Cyber Security Cybersecurity Data Theft Google Workspace Hacking phishing Security Breach

New 'Browser Syncjacking' Attack Exploits Chrome Extensions for Full Device Takeover

 

'Browser Syncjacking,' which allows threat actors to hijack Google profiles, compromise browsers, and eventually gain full control over a victim's device—all through a seemingly harmless Chrome extension.

This stealthy multi-stage attack requires minimal permissions and almost no user interaction beyond installing a malicious Chrome extension. The attack begins with:

1. Fake Google Workspace Setup – Attackers create a fraudulent Google Workspace domain with pre-configured user profiles where security features like multi-factor authentication are disabled.

2. Publishing a Malicious Extension – A Chrome extension, disguised as a useful tool, is uploaded to the Chrome Web Store.

3. Social Engineering Trap – Victims are tricked into installing the extension, which then secretly logs them into an attacker's managed Google Workspace profile via a hidden browser session.

4. Sync Activation – The extension opens a legitimate Google support page and injects content instructing users to enable Chrome Sync. Once activated, attackers gain access to stored credentials, browsing history, and other sensitive data.

5. Full Browser Takeover – Using deceptive tactics, such as a fake Zoom update prompt, the extension delivers an executable file containing an enrollment token. This grants attackers full control over the browser.

"Once enrolled, the attacker gains full control over the victim's browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, monitor/modify file downloads, and many more," explains SquareX researchers.

By leveraging Chrome's Native Messaging API, attackers establish a direct communication channel between the malicious extension and the victim's operating system. This enables them to:
  • Browse directories
  • Modify files
  • Install malware
  • Execute commands
  • Capture keystrokes
  • Extract sensitive data
  • Activate the webcam and microphone
The Browser Syncjacking attack is difficult to detect. Unlike traditional extension-based threats that require extensive social engineering, this method operates with minimal user interaction.

"Unless the victim is extremely security paranoid and is technically savvy enough to constantly navigate the Chrome settings to look for managed browser labels, there is no real visual indication that a browser has been hijacked," the report warns.

Recent incidents, including hijacks of legitimate Chrome extensions, have demonstrated that browser extensions pose significant cybersecurity risks.

BleepingComputer has reached out to Google for comments on this new attack and will provide updates as soon as a response is received.
Read more »
Sensitive customer information
Chrome Extension Customer Data Cyber Attacks Cybersecurity measures Data Loss data security Phishing email Sensitive customer information

Cyberattack on Cyberhaven Chrome Extension Exposes Sensitive Data

 


On Christmas Eve, Cyberhaven, a data loss prevention company, experienced a cyberattack targeting its Google Chrome extension. The breach exposed sensitive customer data, including passwords and session tokens. The company has since taken swift measures to address the issue and prevent future incidents.

The attack occurred after a Cyberhaven employee fell victim to a phishing email, inadvertently sharing their credentials. This gave the attacker access to Cyberhaven’s systems, specifically the credentials for the Google Chrome Web Store. Leveraging this access, the attacker uploaded a malicious version (24.10.4) of the Cyberhaven Chrome extension. The compromised version was automatically updated on Chrome-based browsers and remained active from 1:32 AM UTC on December 25 to 2:50 AM UTC on December 26.

Swift Response by Cyberhaven

Cyberhaven’s security team discovered the breach at 11:54 PM UTC on Christmas Day. Within an hour, they removed the malicious extension from the Web Store. CEO Howard Ting praised the team’s dedication, stating, “Our team acted swiftly and with remarkable dedication, interrupting their holiday plans to safeguard our customers and maintain our commitment to transparency.”

While no other Cyberhaven systems, such as CI/CD processes or code signing keys, were affected, the compromised extension potentially enabled the exfiltration of user cookies and authenticated sessions for specific targeted websites. This incident underscores the persistent risks posed by phishing attacks and the critical need for robust security measures.

Mitigation Measures for Users

To mitigate the impact of the breach, Cyberhaven has advised users to take the following steps:

  • Update the extension to version 24.10.5 or newer.
  • Monitor logs for unusual activity.
  • Revoke or reset passwords not protected by FIDOv2.

These proactive measures are essential to prevent further exploitation of compromised credentials.

Enhanced Security Measures

In response to the attack, Cyberhaven has implemented additional security protocols to strengthen its defenses. The company is also working with law enforcement to investigate the breach and identify the attackers, who reportedly targeted other companies as well.

This attack highlights the increasing sophistication of cyber threats, particularly those exploiting human error. Phishing remains one of the most effective tactics for gaining unauthorized access to sensitive systems. Companies must prioritize employee training on recognizing phishing attempts and establish multi-layered security frameworks to mitigate vulnerabilities.

Cyberhaven’s swift response and transparent communication reflect its commitment to customer security and trust. As the investigation continues, this incident serves as a stark reminder of the importance of vigilance in the ever-evolving landscape of cybersecurity threats.

Read more »
User Privacy
Chrome Extension Manifest V3 Mobile Security Security flaw SquareX User Privacy

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.
Read more »
User Security
Chrome Extension Cyber Security Data Privacy Infostealer Malicious Campaign User Security

New Tool Circumvents Google Chrome's New Cookie Encryption System

 

A researcher has developed a tool that bypasses Google's new App-Bound encryption cookie-theft defences and extracts saved passwords from the Chrome browser. 

Alexander Hagenah, a cybersecurity researcher, published the tool, 'Chrome-App-Bound-Encryption-Decryption,' after noticing that others had previously identified equivalent bypasses. 

Although the tool delivers what several infostealer operations have already done with their malware, its public availability increases the risk for Chrome users who continue to store sensitive information in their browsers. 

Google launched Application-Bound (App-Bound) encryption in July (Chrome 127) as a new security feature that encrypts cookies using a Windows process with SYSTEM rights. 

The goal was to safeguard sensitive data against infostealer malware, which operates with the logged user's access, making it impossible to decrypt stolen cookies without first achieving SYSTEM privileges and potentially setting off security software alarms. 

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," noted Google in July. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.” 

However, by September, several infostealer thieves had discovered ways to circumvent the new security feature, allowing their cybercriminal customers to once again siphon and decrypt sensitive data from Google Chrome. 

Google previously stated that the "cat and mouse" game between info-stealer developers and its engineers was to be expected, and that they never assumed that its defence measures would be impenetrable. Instead, they believed that by introducing App-Bound encryption, they could finally set the groundwork for progressively constructing a more robust system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen. 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”
Read more »
User Safety
ChatGPT Chrome Extension Cyber Crime Data Theft Fake Extension User Privacy User Safety

Fake ChatGPT Chrome Extension Targets Facebook Accounts

 

As ChatGPT becomes increasingly well-known, more and more individuals desire to use cutting-edge chatbot. In turn, this makes them a desirable target for cybercriminals. 

This time around, hackers are using a browser extension called "Quick access to Chat GPT" as a ruse to trick unwary users, claims a recent blog post from the online privacy company Guardio. A while back, fake ChatGPT apps were used to spread malware and steal passwords. The extension, which has since been taken down from the Chrome Web Store, does, however, genuinely provide users access to the chatbot, unlike other fraudulent ChatGPT apps. 

The extension does this while also stealing every cookie that is saved in your browser, including security and session tokens for websites like YouTube, Twitter, and even your Google account. The hackers behind the extension can access your online accounts and steal your passwords with this information, while the primary target of the extension is Facebook accounts. 

Targeting prominent Facebook business accounts 

The hackers who created the extension, according to CyberNews, are closely monitoring people who have prominent Facebook business accounts. This makes sense considering how lucrative LinkedIn and Facebook Business accounts may be, and how frequently attackers target them. 

Those who install the extension will not only have their Facebook accounts compromised but also have bots utilise them to promote "Easy access to Chat GPT" even further.

Even worse, the hackers behind this effort have discovered a means to get around Facebook's security by renaming queries made through Meta's Graph API to the social media platform's servers. This allows them to handle a victim's "linked WhatsApp and Instagram accounts" according to Guardio's security analysts. 

You must exercise extreme caution while downloading and installing new browser extensions because so much of our daily activities now take place online. Bad extensions can manage to evade detection, just like malicious programmes. For this reason, before downloading an extension, you should always check its rating and reviews on the Chrome Web Store. When you click "Add to Chrome," you should, however, search for external evaluations on other websites or even videos that demonstrate an extension in use.

How to use ChatGPT securely and safely

The most recent trends are well known to hackers, who exploit them to develop fresh phishing schemes and other intrusions. In order to encourage you to click or download something, companies typically aim to create a sense of urgency, but in this case, ChatGPT has already done the legwork for them. 

The only option to skip the line and gain early access to ChatGPT is to pay $20 per month for ChatGPT Plus or to fulfil all conditions to gain early access to Microsoft's Bing with ChatGPT. 

There isn't an official browser plugin for ChatGPT yet. Indeed, "chat.openai.com" is the only place where you may now access OpenAI's chatbot online. It's possible that this will change in the future, and if it does, there will be several announcements and news stories regarding the new ChatGPT access method. 

You should probably make sure that the best antivirus software is loaded on your PC or the best Mac antivirus software is installed on your Apple computer if you're the impatient type who searches for quick ways to access ChatGPT. This will protect you from malware and other viruses if you encounter fraud similar to the one described above.

Hackers will probably continue to develop new strategies to utilise the well-known chatbot as bait until ChatGPT can be accessible by anybody without needing to join a waitlist or wait in a queue.
Read more »
User Privacy
Chrome Extension data security Data Theft Login Credentials Mobile Security User Privacy

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players

 

Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.
Read more »
User Privacy
Chrome Extension Cookies data security Mobile Security User Privacy

Malicious Chrome Extensions Siphoning Data from 1.4 million Users

 

Threat analysts at McAfee unearthed five malicious Chrome extensions manufactured to track user's browsing activity and deploy code into e-commerce websites. 

With over 1.4 million installs, the malicious extensions can alter cookies on e-commerce platforms without the victim’s knowledge so that scammers can receive affiliate payments for the purchased products. The five malicious extensions that exploit affiliate marketing are as follows: 

• Netflix Party (800,000 downloads), 
• Netflix Party 2 (300,000), 
• Full Page Screenshot Capture (200,000), 
• FlipShope Price Tracker Extension (80,000), 
• AutoBuy Flash Sales (20,000). 

"The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole explained. "The latter borrows several phrases from another popular extension called GoFullPage."

All five extensions employ an identical methodology to target users. The web app manifest ("manifest.json" file), responsible for managing the extension behavior on the victim’s system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the hackers' control (“langhort[.]com”). 

The data is deployed via POST requests each time the victim visits a new URL. The stolen data includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. The researchers also disclosed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well. 

Additionally, the security firm identified the evasive mechanism that delays the malicious activity by 15 days from the time of installation of the extension to help keep its activity concerted and avoid raising red flags. 

McAfee recommends users extensively check extensions before installing them, even if they already have a large install base, and to pay close attention to the permissions the extensions ask for, such as the permission to run on any website the user visits. 

Last month, security researchers at Kaspersky estimated that more than 1.3 million users have been impacted by malicious browser extensions in just the first six months of this year alone. In fact, from January 2020 to June 2022, researchers unearthed that more than 4.3 million users had adware concealed in their browser extensions. Although Google is working rigorously to eliminate malicious extensions, new ones continue to pop up at a rapid pace.
Read more »
Meta
API Brave Browser Cambridge Analytica Chrome Extension Chrome Web Store Data Breach Facebook Meta

Brave Disabled a Chrome Extension Linked to Facebook Users

 

Last week, security analyst Zach Edwards stated how Brave had restricted the L.O.C. Chrome extension citing concerns it leaked the user's Facebook information to the third server without warning or authorization prompt. An access token used by L.O.C. was obtained easily from Facebook's Creator Studio online app. After retrieving this token — a text thread made up of 192 alphanumeric characters – from the apps, the chrome extensions can use it with Facebook's Graph API to get data about the signed-in user without being a Facebook-approved third-party app. 

The concern is whether this type of data access could be exploited. Without the user's knowledge, an extension using this token could, copy the user's file and transmit it to a remote server. It might also save the user's name and email address and use it to track them across websites. According to a Brave official, the business is working with the programmer to make certain changes — most likely an alert or permission prompt – to ensure the extension is appropriate in terms of privacy and security. 

In September 2018, Facebook announced a security breach impacting nearly 50 million profiles, it blamed criminals for stealing access tokens supplied by its "View As" function, allowing users to see how the profiles appear to others." They were able to steal Facebook access tokens, which subsequently used to take over people's accounts," said Guy Rosen, Meta's VP of Integrity.

Cambridge Analytica accessed people's Facebook profiles using a third-party quiz app which was linked to the social media platform. One would assume a quiz app won't disclose your Facebook profile information with others, and a Chrome extension won't do the same. Despite Facebook's assurances, some steps must be taken to prevent a repetition of the Cambridge Analytica scandal, the Creators Studio access tokens in the hands of a malicious and widely used Chrome extension might lead to a rerun of history. 

Part of the problem is Google's Chrome extensions seem easy to corrupt or exploit, and Meta, aside from reporting the matter to Google, has no immediate ability to block the deployment of extensions which abuse its Graph API. The Creator Studio token is detailed to the user's session, according to a Meta representative, meaning it will terminate if the extension user signs out of Facebook. And, if the token hasn't been transferred to the extension developer's server, as looks to be the situation with the L.O.C. extension, uninstalling it will also result in the token expiring. 

Meta has asked Google to delete the extension from the Chrome Web Store once more and is looking into alternative options.
Read more »
User Security
API Chrome Extension Cyber Security Data Safety Facebook User Security

Facebook has Exposed a 'God Mode' Token that Might be Used to Harvest Data

 

Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users' Facebook data to potential theft. "If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued." 

Loc Mai, the extension's developer, stated in an email that the Graph API on Facebook requires a user's access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data. 

Zach Edwards, a security researcher, said, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure." Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug. 

According to Mai, his extension does not harvest information, as stated in the extension's privacy policy. Currently, the extension has over 700,000 users. "The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai. 

As per Mai, the extension saves the token locally under localStorage.touch. This is a security concern but is not evidence of wrongdoing. L.O.C. is still available on the Chrome Web Store. A malicious developer, on the other hand, might harvest Facebook data using the same access technique, because Facebook is releasing a plain-text token that grants "god mode," as Edwards describes it. 

According to Edwards, Facebook's Terms of Service fall short in this regard because, while the company requires individuals to utilize its app platform, it does not prohibit people from utilizing browser extensions. 

This loophole, which exposes user data, is exacerbated by the way Chrome extensions now work. According to Edwards, Chrome extensions can seek authorization on one domain you control and another you don't, and then open a browser tab upon installation to scrape API tokens and session IDs for various types of apps.
Read more »
Mallicious URLs
Chrome Extension Cyber Security Detection Tool Google Mallicious URLs

This New Tool Helps in Detecting Vulnerable Chrome Extensions

 

The researchers from CISPA Helmholtz Center for Information Security in Germany have built tools to assist in identifying Chrome extensions that are vulnerable to exploitation by malicious web pages and other extensions. 

Google revealed plans to revamp its browser extension platform in 2018 in order to make it more safe. Chrome extensions had vast rights under its prior platform regulations, known as Manifest v2, which could be easily abused. Many crooks have taken use of these powers. Google, for example, eliminated over 500 harmful extensions in February 2020. That was a month after Google barred new extensions from its Chrome Web Store in order to combat payment fraud. 

Along with its attempts to tidy up the Chrome Web Store, Google has been working on Manifest v3, a redesigned set of extension APIs that offer less features, at the cost of content blocking and privacy tools, but with reduced security and privacy risks. In January 2021, Google began accepting Manifest v3 extensions for evaluation. However, its most recent extensions are not without flaws, and earlier Manifest v2 extensions still continue to circulate.

CISPA Helmholtz boffins Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock took it upon themselves to create a tool termed DoubleX to assist in coping with the problem. They highlight their research in the paper termed "DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale," which is published in the Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, which will be held next week in South Korea. 

They stated that malicious extensions are only a small part of the extensions that cause security and privacy issues. Furthermore, benign extensions may include vulnerable code that may be abused by other extensions installed by the user. DoubleX is on the lookout for extensions that aren't harmful but can be exploited. 

DoubleX is a open-source static analyzer that detects potentially dangerous data flows. In other words, it doesn't simply hunt for malicious extensions; it also looks for exploitable data pathways. 

 How might these flaws be exploited?

According to the researchers, the presence of an eval function indicates that an attacker might possibly exploit the permissions of the vulnerable extension. When DoubleX was fed a considerable number of Chrome apps, it did discover some issues, but they were comparatively less. 

The paper stated, "We analyzed 154,484 Chrome extensions, 278 of which we flagged as having externally controllable data flows or exfiltrating sensitive user information. For those, we could verify that 89 per cent of the data flows can be influenced by an attacker, which highlights DoubleX precision." 

"In addition, we detected 184 extensions (with 209 vulnerabilities) that are exploitable under our threat model, leading to, e.g., arbitrary code execution in any website." 

Around 2.4 million to 2.9 million people are affected by these 184 extensions, with 172 vulnerable to a web attacker and 12 vulnerable through another unprivileged extension. The researchers claim they duly notified their results to developers if they could discover contact information, and to Google in other cases, from October 2020 to May 2021. According to them, 45 of the 48 vulnerable extensions discovered were still available in the Chrome Web Store as of July 2021. 

The paper stated, "Of those, 13 have been updated since our disclosure, but only five have been fixed (300k+ users, 50k+ users, 3k+ users, 2k+ users, and 35 users)."
Read more »
Technology News
Chrome Extension Chrome Web Store Google Google Chrome Technology Technology News

Google Stops Displaying Security Warnings in Microsoft Edge, No Longer Recommends Switching to Chrome


Google has stopped advising Microsoft Edge users to switch to Chrome for a more secure experience as the browser extensions crafted for Google's Chrome web browser are also suitable for the new Microsoft's new Edge browser based on Chromium.

It appeared like Google stoked the flames of browser wars when it subtly encouraged Edge users to shift to Chrome by displaying warnings of potential security threats. The alert displayed by Google read that it "recommends switching to Chrome to use extensions securely". A developer at Edge revealed that the new Microsoft Edge is designed to effectively safeguard its users from malicious extensions, that said, Edge already had Windows Defender Smart Screen and Unwanted Application protection built-in.

Whenever a user visited the Chrome Web Store via the new Microsoft Edge, Google displayed a message in yellow at the top of the webpage recommending users to switch to Chrome in order to use extensions with added safety. However, seemingly, as soon as Google realized that greeting users with a warning message which clearly implied that Microsoft Edge is less secure of a browser is not making them look good, the tech giant softened and decided to take the alert down. Not only that, Google went a step ahead and replaced the previously displayed warning with a fresh one that tells users that now they can add extensions to Microsoft Edge from the Chrome Web Store.

However, still, officially only a few extensions are supported by Microsoft Edge as the installation of all these extensions for the first will seem to be a bit complex. Users need to enable 'allow extensions' from other stores via the settings page. On attempting to do that, Microsoft warns that it doesn't verify extensions downloaded from third-party stores and cautions that doing the same may cause performance issues in Edge. Then it suggests users get verified extensions from Microsoft Edge add-ons site. As soon as the users allow extensions by clicking on 'Allow', they will be able to add extensions to Edge from Chrome Web Store.
Read more »
Shitcoin Wallet
Chrome Extension Crypto Wallets Cyber Fraud Google Chrome Shitcoin Wallet

Google Chrome Extension, Shitcoin Wallet found stealing passwords and crypto-wallet keys


MyCrypto platform reported that Shitcoin Wallet, a Google Chrome extension was injecting JavaScript code on web pages, in order to steal passwords and keys from cryptocurrency wallets.


The extension, Shitcoin Wallet, Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn, was launched last month on December 9. With Shitcoin Wallet, users managed their Ether (ETH) coins, and Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings) either from the browser or by installing a desktop app.

Malicious Behavior with the extension

Harry Denley, Director of Security at the MyCrypto platform, discovered that the chrome extension isn't what it promises to be. He found malicious code within the extension. In a blog, ZDNet reported that "According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. "

 Danley, said that the extension traffics all the keys on its system to a third party website at erc20wallet[.]tk.

 The malicious code works by the following process

1. The user installs the chrome extension Shitcoin Wallet.
2. The extension request permission to inject the malicious JavaScript code to 77 websites.
3. If the user navigates to any of these 77 websites, it injects an additional code.
4. The code activates on five websites: MyEtherWallet.com, Index. Market, Binance.org, NeoTracker.io, and Switcheo.exchange
5. After activation, the code saves the user's login credentials, keys, and other data then siphon it to a third party.

It is not constructively clear yet if the Shitcoin Wallet team is responsible for the malicious behavior or a third party infiltrated the extension. The Shitcoin Wallet team is silent on the allegations and has yet to give any comments on the matter.

Desktop App

Both 32-bit and 64-bit installers are available for the user to download on the extension's official website. VirusTotal, a website that aggregates the virus scanning engines of several antivirus software makers, showed that both versions were clean. But on a warning note, the desktop app may contain the code or something even worse.
Read more »
Subscribe to: Posts (Atom)