The Dark World of Chrome Extensions - Are you Prepared?

By Rick Deacon on February 6, 2020

Google Chrome is the most popular web browser in the world. The popular browser was launched in 2008 and is utilized by a whooping 62% of all web users. Naturally, organizations and businesses started exploring the possibilities of Chrome extensions in 2010. Extensions are basically add-ons that customize your browser to open doors to a plethora of functions offered by websites.

Chrome Extensions - Augmenting the Browser Experience

Chrome extensions have improved user experience in significant ways, paving way for seamless and enjoyable browsing. For example, Google Dictionaryenables users to search the definition of any word without the need of opening a new tab for a dictionary site. Simply highlight the target word, select the Chrome extension, and the dictionary works its magic. Fuss-free.

Cite this for Me: Web Citer is a Chrome Extension that is ideal for academics and students. All users need to do is list down their citations and bibliography required for their projects. The program churns out the results in structured citation format that is conveniently exported to a document. Then, there is AdBlock, a must-have extension for many users who wish to get rid of the pesky pop-ups that hinder their browsing experience.

However, troubles arise when the Chrome Extensions are manipulated by malicious individuals. And here lies a problem that bears devastating consequences such as identity theft, stolen information and full-on data breaches. According to anIBM data report, data breaches cost companies anywhere between $1.25 - $8.9 million in 2019. That is a staggering amount, which is one reason why data protection remains a major priority into 2020.

Chrome Extensions- Brief History and Behind the Scenes

Chrome set the record for being the first browser with an extension API that is exclusively based on HTML, CSS and JavaScript. These were web languages widely used by modern developers. The streamlined process made it easy for developers to focus on designing myriad extensions without worrying about compatibility issues. An unprecedented ease of use saw a flood of 750 million Chrome Extensions in the Chrome Web Store by 2012. Internet Explorer, a pioneer of web browsers, was quickly replaced by Chrome as the people's choice.

Unfortunately, the tremendous success of Chrome Extensions also drew the attention of malware developers and cyber terrorists.

These individuals saw the potential of Chrome Extensions as a means of tapping into confidential information such as user information and browsing history. Additionally, extensions were a possible way to modify website information, alter browser settings and infiltrate browsers with unwanted features (such as devices that steal log-in information). Chrome Extensions seemed like the ideal weapon for cyber attacks.

Notable Google Chrome Cases

Mega was a notable example. The Mega Google Extension provides users with access to Mega's cloud storage services, which reduces loading time and improves download performance.

According to an official blog report by Mega, "On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome web store. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine."

Then, there are Chrome Extensions with more brazen practices. SafeBrowse was a Chrome Extension that functioned similarly to AdBlock, which touted the usual solutions of eliminating unwanted pop-ups, improving browser performance, etc. That all changed when it introduced a highly suspicious update to version 3.2.25.

The update promised users with the function of eliminating URL redirectors among other things. But the offering had an insidious motive. Upon update, users began to realize that their CPUs were functioning at an unusually sluggish rate, with about 60% usage. This eventually caused poor CPU function and delayed responses.

When security tracking company Bleepingcomputer conducted a test on the extension, they uncovered a horrifying truth. It turned out that SafeBrowse had embedded a JavaScript application on the extension, which mined CPU power for the monero cryptocurrency. Essentially, the authors of SafeBrowse were funding their personal investments by compromising the CPU functions of their users.

Google has since removed the extension from its Chrome Store but retains a cache of the website for further investigation.

But perhaps one of the biggest and most recent cases of Chrome Extension abuse is known as DataSpii. The term is a double wordplay of the word spy and the exposure of personal identifiable information (PII). The massive plot was uncovered by a security analyst , Sam Jadali, who published his detailed findings on his website, Security with Sam.

Dataspii involved eight invasive Chrome extensions that harvested user data. The collected information was then distributed to a fee-based website, Nachos Analytics, which promotes itself as a service where you could "See Anyone's Analytic Account".

According to Jadali, the data breach affected many fortune 500 companies such as Apple and Facebook. Additionally, the leaks also involve users without the extensions, simply by establishing communication with an affected user. Google has been warned, and reacted by remotely removing all eight extensions from affected browsers. The extensions have also been removed from the Chrome Store. However, there is no knowing the true extent of data exploitation when more than 4 million users are involved.

Additional Measures Against Suspicious Chrome Extensions

Although Google has undoubtedly done its part in improving user transparency and security measures over the years - such as the Chrome update that displays prominent icons of every extension in your toolbar - it might be best to lay out a contigency plan.

There are experienced IT professionals who're are dedicated in rooting out the threats embedded within suspicious extensions. These hidden malwares can cost great financial losses while damaging your brand and professional reputation. Organizations and businesses can benefit from optimal cybersecurity standards by consutling an expert team with advanced tools and expertise.

Apozy is a trusted specialist when it comes down to detecting and firewalling all suspicious extensions from a central location. Learn how we can safeguard your precious data and digital assets from the most elusive malware with our intuitive and multibrowser-compatible solutions.


Author picture

by Rick Deacon


About Apozy

Founded in April of 2014 in San Francisco, we are a venture-backed motley crew of passionate hackers building cybersecurity technologies to make the world's information faster, cleaner and safer to access.