Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chrome Extension. Show all posts
Cyber Security
Affiliate Hijack ChatGPT Theft Chrome Extension Cyber Security

Malicious Chrome Extensions Hijack Affiliate Links and Steal ChatGPT Tokens

 

Cybersecurity researchers have uncovered a alarming surge in malicious Google Chrome extensions that hijack affiliate links, steal sensitive data, and siphon OpenAI ChatGPT authentication tokens. These deceptive add-ons, masquerading as handy shopping aids and AI enhancers, infiltrate the Chrome Web Store to exploit user trust. Disguised tools like Amazon Ads Blocker from "10Xprofit" promise ad-free browsing but secretly swap creators' affiliate tags with the developer's own, robbing influencers of commissions across Amazon, AliExpress, Best Buy, Shein, Shopify, and Walmart.

Socket Security identified 29 such extensions in this cluster, uploaded as recently as January 19, 2026, which scan product URLs without user interaction to inject tags like "10xprofit-20." They also scrape product details to attacker servers at "app.10xprofit[.]io" and deploy fake "LIMITED TIME DEAL" countdowns on AliExpress pages to spur impulse buys. Misleading store listings claim mere "small commissions" from coupons, violating policies that demand clear disclosures, user consent for injections, and single-purpose designs.

Broadcom's Symantec separately flagged four data-thieving extensions with over 100,000 installs, including Good Tab, which relays clipboard access to "api.office123456[.]com," and Children Protection, which harvests cookies, injects ads, and executes remote JavaScript. DPS Websafe hijacks searches to malicious sites, while Stock Informer exposes users to an old XSS flaw (CVE-2020-28707). Researchers Yuanjing Guo and Tommy Dong stress caution even with trusted sources, as broad permissions enable unchecked surveillance.

LayerX exposed 16 coordinated "ChatGPT Mods" extensions—downloaded about 900 times—that pose as productivity boosters like voice downloaders and prompt managers. These inject scripts into chatgpt.com to capture session tokens, granting attackers full account access to conversations, metadata, and code. Natalie Zargarov notes this leverages AI tools' high privileges, turning trusted brands into deception vectors amid booming enterprise AI adoption.

Compounding risks, the "Stanley" malware-as-a-service toolkit, sold on Russian forums for $2,000-$6,000, generates note-taking extensions that overlay phishing iframes on bank sites while faking legitimate URLs. Premium buyers get Chrome Store approval guarantees and C2 panels for victim management; it vanished January 27, 2025, post-exposure but may rebrand. Varonis' Daniel Kelley warns browsers are now prime endpoints in BYOD and remote setups.

Users must audit extensions for mismatched features, excessive permissions, and vague disclosures—remove suspects via Chrome settings immediately. Limit installs to verified needs, favoring official apps over third-party tweaks. As e-commerce and AI extensions multiply, proactive vigilance thwarts financial sabotage and data breaches in this evolving browser battlefield.
Read more »
User Privacy
Chrome Extension Credential Theft Mobile Security Phantom Shuttle User Privacy

Phantom Shuttle Chrome Extensions Caught Stealing Credentials

 

Two malicious Chrome extensions named Phantom Shuttle have been discovered to have acted as proxies and network test tools while stealing internet browsing and private information from people’s browsers without their knowledge.

According to security researchers from Socket, these extensions have been around since at least 2017 and were present in the Chrome Web Store until the time of writing. This raises serious concerns regarding the dangers associated with browser extensions even from reputable sources. 

Analysis carried out by Socket indicates that the Phantom Shuttle extension directs the online traffic of the victims to a proxy setup that is controlled by the attackers using hardcoded credentials. The attackers hid the malcode using the approach of prepending the malcode to a jQuery library. 

The hardcoded credentials for the proxy are also obfuscated using a custom character index-based encoding scheme, which could impact detection and reverse engineering efficiency. The built-in traffic listener in the extensions is capable of intercepting HTTP authentication challenges on multiple websites.

Modus operandi 

To force traffic through its infrastructure, Phantom Shuttle dynamically modifies Chrome’s proxy configuration using an auto-configuration script. In a default mode labeled “smarty,” the extensions allegedly route more than 170 “high-value” domains through the proxy network, including developer platforms, cloud consoles, social media services, and adult sites. Additionally, to avoid breaking environments that could expose the operation, the extensions maintain an exclusion list that includes local network addresses and the command-and-control domain. 

Since the extensions operate a man-in-the-middle, they can seize data passed through forms such as credentials, payment card data, passwords and other personal information. Socket claims the extensions can also steal session cookies from HTTP headers, and parse API tokens from requests, potentially taking over accounts even if passwords aren't directly harvested. 

Mitigation tips 

Chrome users are warned to download extensions only from trusted developers, to verify multiple user reviews and to be attentive to the permissions asked for when installing. In sensitive workload environments (cloud admin, developer portals, finance tools), minimizing extensions and removing those not in use can also dramatically reduce exposure to similar proxy-based credential heists.
Read more »
User Privacy
Chrome Extension Cyber Security Data Surveillance FreeVPN User Privacy

FreeVPN.One Extension Turns from Privacy Tool to Surveillance Threat

 

Security researchers at Koi Security have discovered troubling behavior from FreeVPN.One, a popular Chrome VPN extension with over 100,000 installations that has begun secretly capturing and transmitting users' screenshots to remote servers. 

Threat discovery 

The extension, which had maintained legitimate functionality for years, recently shifted its behavior in July 2025 to silently capture screenshots approximately one second after each page load. These screenshots are then transmitted to external servers—initially unencrypted, but later obfuscated with encryption after updates. The malicious behavior was introduced gradually through smaller updates that first requested additional permissions to access all websites and inject custom scripts. 

Developer's response

When confronted, FreeVPN.One's developer claimed the extension "is fully compliant with Chrome Web Store policies" and that screenshot functionality is disclosed in their privacy policy. The developer provided various justifications, including that screenshots only trigger "if a domain appears suspicious" as part of "background scanning". 

However, Koi researchers refuted this, providing evidence of activation on trusted domains including Google's own sites. The developer also claimed screenshots are "not being stored or used" but "only analyzed briefly for potential threats"—a distinction researchers found unconvincing. 

Chrome web store failures

This incident highlights significant security gaps in Google's Chrome Web Store review process. Despite Google's claims of performing security checks through automated scans, human reviews, and monitoring for malicious behavior changes, FreeVPN.One managed to maintain its verified status and featured placement while conducting these activities. 

The extension appears to have exploited a patient approach—operating legitimately for years before introducing malicious functionality, effectively bypassing security measures. While the product overview mentions "advanced AI Threat Detection" with "passive mode" monitoring, it fails to clearly state that "scanning them visually" means sending screenshots to remote servers without notification or opt-out options. 

Current status

As of the article's publication, Google had not responded to inquiries about investigating the extension or removing it from the Chrome Web Store. The FreeVPN.One extension remained active and available for download despite the security findings, raising concerns about user protection in browser marketplaces. This case demonstrates how privacy-branded extensions can become surveillance tools, exploiting user trust while bypassing platform security measures.
Read more »
Polymorphic Attack
Chrome Extension Cyber Attacks Data Safety Malicious Campaign Polymorphic Attack

Malicious Chrome Extensions Spoof Password Managers in Novel Polymorphic Attack

 

Cybersecurity experts have uncovered a novel technique for a malicious web browser extension to spoof any installed add-on.

"The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension," SquareX noted in a report published earlier this month. 

The attack targets all Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. The strategy relies on the fact that users frequently pin extensions to the browser's toolbar. In a hypothetical attack scenario, threat actors could publish a polymorphic extension to the Chrome Web Store (or any extension marketplace) and pass it off as a utility. 

The attackers could then use the harvested credentials to take over online accounts and steal sensitive financial and personal data without authorisation. While the add-on provides the claimed functionality without raising any suspicions, it activates the malicious features in the background by actively scanning for the presence of online resources associated with particular target extensions using a technique known as web resource hitting. 

Once a suitable target extension has been located, the attack proceeds to the next stage, when it morphs into a duplicate of the legitimate extension. This is performed by modifying the rogue extension's icon to match that of the target and temporarily disabling the actual add-on using the "chrome.management" API, resulting in its removal from the toolbar. 

"The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation," SquareX added. "In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with.” 

The findings follow a month after the company revealed Browser Syncjacking, another attack technique that allows a seemingly harmless browser extension to take over a victim's device.
Read more »
Security Breach
browser hijacking Chrome Extension Cyber Security Cybersecurity Data Theft Google Workspace Hacking phishing Security Breach

New 'Browser Syncjacking' Attack Exploits Chrome Extensions for Full Device Takeover

 

'Browser Syncjacking,' which allows threat actors to hijack Google profiles, compromise browsers, and eventually gain full control over a victim's device—all through a seemingly harmless Chrome extension.

This stealthy multi-stage attack requires minimal permissions and almost no user interaction beyond installing a malicious Chrome extension. The attack begins with:

1. Fake Google Workspace Setup – Attackers create a fraudulent Google Workspace domain with pre-configured user profiles where security features like multi-factor authentication are disabled.

2. Publishing a Malicious Extension – A Chrome extension, disguised as a useful tool, is uploaded to the Chrome Web Store.

3. Social Engineering Trap – Victims are tricked into installing the extension, which then secretly logs them into an attacker's managed Google Workspace profile via a hidden browser session.

4. Sync Activation – The extension opens a legitimate Google support page and injects content instructing users to enable Chrome Sync. Once activated, attackers gain access to stored credentials, browsing history, and other sensitive data.

5. Full Browser Takeover – Using deceptive tactics, such as a fake Zoom update prompt, the extension delivers an executable file containing an enrollment token. This grants attackers full control over the browser.

"Once enrolled, the attacker gains full control over the victim's browser, allowing them to silently access all web apps, install additional malicious extensions, redirect users to phishing sites, monitor/modify file downloads, and many more," explains SquareX researchers.

By leveraging Chrome's Native Messaging API, attackers establish a direct communication channel between the malicious extension and the victim's operating system. This enables them to:
  • Browse directories
  • Modify files
  • Install malware
  • Execute commands
  • Capture keystrokes
  • Extract sensitive data
  • Activate the webcam and microphone
The Browser Syncjacking attack is difficult to detect. Unlike traditional extension-based threats that require extensive social engineering, this method operates with minimal user interaction.

"Unless the victim is extremely security paranoid and is technically savvy enough to constantly navigate the Chrome settings to look for managed browser labels, there is no real visual indication that a browser has been hijacked," the report warns.

Recent incidents, including hijacks of legitimate Chrome extensions, have demonstrated that browser extensions pose significant cybersecurity risks.

BleepingComputer has reached out to Google for comments on this new attack and will provide updates as soon as a response is received.
Read more »
Sensitive customer information
Chrome Extension Customer Data Cyber Attacks Cybersecurity measures Data Loss data security Phishing email Sensitive customer information

Cyberattack on Cyberhaven Chrome Extension Exposes Sensitive Data

 


On Christmas Eve, Cyberhaven, a data loss prevention company, experienced a cyberattack targeting its Google Chrome extension. The breach exposed sensitive customer data, including passwords and session tokens. The company has since taken swift measures to address the issue and prevent future incidents.

The attack occurred after a Cyberhaven employee fell victim to a phishing email, inadvertently sharing their credentials. This gave the attacker access to Cyberhaven’s systems, specifically the credentials for the Google Chrome Web Store. Leveraging this access, the attacker uploaded a malicious version (24.10.4) of the Cyberhaven Chrome extension. The compromised version was automatically updated on Chrome-based browsers and remained active from 1:32 AM UTC on December 25 to 2:50 AM UTC on December 26.

Swift Response by Cyberhaven

Cyberhaven’s security team discovered the breach at 11:54 PM UTC on Christmas Day. Within an hour, they removed the malicious extension from the Web Store. CEO Howard Ting praised the team’s dedication, stating, “Our team acted swiftly and with remarkable dedication, interrupting their holiday plans to safeguard our customers and maintain our commitment to transparency.”

While no other Cyberhaven systems, such as CI/CD processes or code signing keys, were affected, the compromised extension potentially enabled the exfiltration of user cookies and authenticated sessions for specific targeted websites. This incident underscores the persistent risks posed by phishing attacks and the critical need for robust security measures.

Mitigation Measures for Users

To mitigate the impact of the breach, Cyberhaven has advised users to take the following steps:

  • Update the extension to version 24.10.5 or newer.
  • Monitor logs for unusual activity.
  • Revoke or reset passwords not protected by FIDOv2.

These proactive measures are essential to prevent further exploitation of compromised credentials.

Enhanced Security Measures

In response to the attack, Cyberhaven has implemented additional security protocols to strengthen its defenses. The company is also working with law enforcement to investigate the breach and identify the attackers, who reportedly targeted other companies as well.

This attack highlights the increasing sophistication of cyber threats, particularly those exploiting human error. Phishing remains one of the most effective tactics for gaining unauthorized access to sensitive systems. Companies must prioritize employee training on recognizing phishing attempts and establish multi-layered security frameworks to mitigate vulnerabilities.

Cyberhaven’s swift response and transparent communication reflect its commitment to customer security and trust. As the investigation continues, this incident serves as a stark reminder of the importance of vigilance in the ever-evolving landscape of cybersecurity threats.

Read more »
User Privacy
Chrome Extension Manifest V3 Mobile Security Security flaw SquareX User Privacy

Chrome Extensions Continue to Pose a Threat, Even With Google's Manifest V3

 

Users have always found browser extensions to be a useful tool for increasing productivity and streamlining tasks. They have, however, become a prime target for malicious actors attempting to exploit flaws, impacting both individual users and companies. 

Despite efforts to boost security, several of these extensions have found ways to exploit vulnerabilities in Google's latest extension framework, Manifest V3 (MV3). SquareX's recent research explained how these rogue extensions can continue to evade crucial security protections, exposing millions of users to risks such as data theft, malware, and unauthorised access to sensitive information. 

Google has always had troubles with Chrome addons. In June 2023, the company had to manually remove 32 vulnerable extensions that had been installed 72 million times before being removed. 

Google's previous extension framework, Manifest Version 2 (MV2), was notoriously unstable. It frequently granted excessive rights to extensions and allowed scripts to be introduced without user knowledge, making it less complicated for cybercriminals to steal data, access sensitive information, and install malware.

In response, Google launched Manifest V3, which intended to improve security by limiting permissions and requiring extensions to declare their scripts in advance. While MV3 was supposed to address the vulnerabilities found in MV2, SquareX's study indicates that it falls short in important areas. 

Malicious extensions built on MV3 can still circumvent security measures and grab live video streams from collaboration services such as Google Meet and Zoom Web without requiring specific permission. They can even add unauthorised contributors to private GitHub repositories and send users to phishing pages masquerading as password managers. 

Furthermore, these malicious extensions, like their MV2 counterparts, can access browser history, cookies, bookmarks, and download history by displaying a fake software update pop-up that dupes users into downloading the malware. 

Once the malicious extension is installed, individuals and businesses are unable to notice its activity, leaving them vulnerable. Endpoint protection, Secure Access Service Edge (SASE), and Secure Web Gateways (SWG) are examples of security solutions that cannot dynamically assess potential risks in browser extensions. 

SquareX has created a number of solutions targeted at enhancing browser extension security in order to address these issues. Their strategy includes customised rules that let administrators choose which extensions to accept or ban depending on user ratings, reviews, update history, and extension permissions.

This system can prevent network requests from extensions in real time using policies, machine learning insights, and heuristic analysis. Additionally, SquareX is experimenting with dynamic analysis of Chrome extensions using a customised Chromium browser on its cloud server, which will provide greater insights into the behaviour of potentially malicious extensions.
Read more »
User Security
Chrome Extension Cyber Security Data Privacy Infostealer Malicious Campaign User Security

New Tool Circumvents Google Chrome's New Cookie Encryption System

 

A researcher has developed a tool that bypasses Google's new App-Bound encryption cookie-theft defences and extracts saved passwords from the Chrome browser. 

Alexander Hagenah, a cybersecurity researcher, published the tool, 'Chrome-App-Bound-Encryption-Decryption,' after noticing that others had previously identified equivalent bypasses. 

Although the tool delivers what several infostealer operations have already done with their malware, its public availability increases the risk for Chrome users who continue to store sensitive information in their browsers. 

Google launched Application-Bound (App-Bound) encryption in July (Chrome 127) as a new security feature that encrypts cookies using a Windows process with SYSTEM rights. 

The goal was to safeguard sensitive data against infostealer malware, which operates with the logged user's access, making it impossible to decrypt stolen cookies without first achieving SYSTEM privileges and potentially setting off security software alarms. 

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," noted Google in July. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.” 

However, by September, several infostealer thieves had discovered ways to circumvent the new security feature, allowing their cybercriminal customers to once again siphon and decrypt sensitive data from Google Chrome. 

Google previously stated that the "cat and mouse" game between info-stealer developers and its engineers was to be expected, and that they never assumed that its defence measures would be impenetrable. Instead, they believed that by introducing App-Bound encryption, they could finally set the groundwork for progressively constructing a more robust system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen. 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”
Read more »
Subscribe to: Comments (Atom)