If you are like millions of users, you have downloaded and installed browser extensions on your workstation to save time and increase productivity. Unfortunately, four browser extensions for Google Chrome apparently have been doing some extra work that users weren't aware of.
Security firm ICEBRG found the malicious extensions when they found a spike in usage on a customer's computer. The extensions - HTTP Request Header, Nyoogle, Stickies, and Lite Bookmarks - would visit ad-based web links when the user wasn't aware, likely as part of a click-fraud scam. Once alerted, Google removed the extensions from the Chrome Web Store within a day, but even with the quick response, the extensions had combined for more than 500,000 downloads.
When examining the code, ICEBRG found HTTP Request Header didn't contain specifically malicious code, but two items together - JavaScript injection and browser proxying - raised the possibility of problematic code executions. The others worked in similar fashion.
"Hygiene of user workstations is a difficult problem to tackle, made even more difficult by the exhaustive number of ways that code can execute through seemingly legitimate applications and plugins," ICEBRG said in its security report. "In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks."
If you use Chrome, check your extensions to make sure you aren't using any of the four. If you are, uninstall them immediately.
This isn't the first time that Google has had an issue with malicious or fraudulent extensions, and likely won't be the last.
Update: A Google rep responded to Neowin, saying "We're always working to improve how we detect malicious extensions, and will continue to update our security protections to help prevent these types of issues in the future." She pointed to a 2015 paper created by the Google security team from the USENIX Security Symposium showing the efforts the team makes in detecting malicious extensions.
Via: Ars Technica | Image: ICEBRG
29 Comments - Add comment