500 thousand downloads for 4 harmful Chrome extensions (already removed)
The extensions identified are part of a campaign that directs the browser in secret on sites full of advertisements, but in expert hands, they could also be used as spy tools.
ICEBERG, a company that deals with information security, has come across four extensions to Chrome potentially very dangerous, which have been downloaded over 500 thousand times and that can allow the execution of remote code with all that this may involve.
The discovery took place after the company detected a spike in suspicious traffic to the outside, coming from a client’s workstation. The origin of the traffic was quickly identified in a Chrome extension called HTTP Request Header that exploited the machine on which it was installed to secretly visit websites containing numerous advertisements. The researchers then identified three other extensions called Nyoogle, Stickies and Lite Bookmarks that behave more or less in the same way.
ICEBERG has collected elements that suggest that the extensions are linked to a scam that simply aims to generate rewards gains based on user clicks. But researchers warn that malicious extensions can easily be used, in expert hands, as tools for espionage and exfiltration of information and data. The researchers privately communicated their findings to Google, also alerting the National Cyber Security Center of the Netherlands and the US CERT. Google removed the extensions after I received the report and only after ICEBERG published a report explaining the operation mechanism of the malicious extensions.
The researchers write: ” For how it was designed, the Chrome JavaScript engine runs JavaScript code contained in the JSON.For security issues Chrome prevents the possibility of receiving JSON from external sources through extensions, which must explicitly request it through the Content Security Policy When an extension enables ” unsafe-eval ” permissions to perform this action, it may receive or process JSON from an externally-controlled server, which creates a situation in which the author of the extension can inject and execute arbitrary JavaScript code in any moment when the server receives a request “.
When dealing with Chrome extensions, which is known to be among the safest browsers currently in circulation, it is good to take the right amount of caution, especially when it comes to components from third parties: install only add-ons of which one cannot do without, read the reviews of other users, verify in depth the credibility of the developer and, for the more technical, observe the code and behavior of the extension.