Saturday, April 19, 2025

 

DIGITAL LIFE


Is Your Browser Spying? Chrome Extensions With Hidden Trackers Exposed

Everyone knows (or should know) that the safest way to handle browser extensions is to make sure you're getting them from a trusted, reliable source. That alone isn't enough to ensure you want fall prey to hackers, though. Proving otherwise, dozens of extensions on the Chrome Web Store have been found to pose a security and privacy threat over the presence of hidden tracking code.

The total number of affected extensions tally 57 and collectively, they have amassed nearly 6 million installations. Some of them are more popular than others. The ones with the most installations—200,000 or more—including the following...

Cuponomia – Coupon and Cashback: 700,000

Fire Shield Extension Protection: 300,000

Total Safety for Chrome: 300,000

Protecto for Chrome: 200,000

Browser WatchDog for Chrome: 200,000

Securify for Chrome: 200,000

Browser Checkup for Chrome by Doctor: 200,000

Choose Your Chrome Tools: 200,000

The sinister nature of these and dozens of other extensions that are part of the group was highlighted by Secure Annex researcher John Tucker. As Tucker points out in a blog post on the topic, most of the extensions are unlisted.

That in and of itself can serve as a red flag, though it doesn't necessarily mean the extension is up to no good. Unlisted extensions don't get indexed by search engines so you won't find them with a simple lookup query. They also don't show up when searching the Chrome Web Store, and so the only way to access them is with a direct link.

"Many companies provide their software through unlisted extensions because it makes it harder for any normal user to find the extension and then hit a wall when it isn’t functional. It has also been known as a way to target users to install a malicious extension while being really hard to detect by security teams," Tucker explains.

Tucker says that one of the first extensions he looked at was Fire Shield Extension Protection, an unlisted extension with 300,000 installations and a 2.2 user rating. It's ostensibly designed to check your extensions and break them down by the permissions they use, and then alert the user if it finds anything suspicious.

Sounds helpful, but according to Tucker, the extension's permissions are "overly broad" and "heavily obfuscated" in code. These permissions allow the extension to access cookies and track a user's browser behavior, modify search providers and the subsequent search results, inject and execute remote scrips on visited pages (via iFrames), and more.

Is Your Browser Spying? Chrome Extensions With Hidden Trackers Exposed

It and several other extensions were also found to reference the domain unkonw.com, which triggered an alarm bell in Tucker's head.

"While I could not find an instance of the extension exfiltrating credentials, this level of obfuscation, the ability for the extension’s configuration to be remotely controlled, these patterns being seen across many different extensions, and the capabilities in the browser extension’s code is enough for me to come to the same conclusion that all of these extensions are a family of spyware or infostealers. That is ultimately the problem and threat these extension pose when they can be controlled remotely," Tucker states.

You can check out his blog post for more technical details (as spotted by Bleeping Computer, which heard from Google that it's investigating the matter). Additionally, he posted a full list of affected extensions in a Google Spreasheet. Be sure to check that out and if you're running any of the ones on the list, do yourself a solid and nuke it.

mundophone

No comments:

Post a Comment

  TECH 6G could spell the end of apps as we use them today The next major shift in mobile technology may not lie in faster video downloads o...