Google Chrome has come under repeated attack in recent weeks via Chrome Extensions, which allow for additional functionality to added to the nrowser.
Ever since 2013, Chrome Extensions have only been available from the Chrome Web Store, after Google disabled the installation of Chrome extensions from third-party websites in an effort to improve security.
But according to Proofpoint, since the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme.
“This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft,” the researchers warned.
It apparently began after the Chrome extension, Copyfish, was compromised after its developer responded to a phishing email – with his Google password. But matters did not stop there, and now more Chrome extensions are apparently no longer safe to use. It seems the hackers used the same attack vector against these other extension developers.
Incidentally, Proofpoint has not identified any extension developers, except for Chris Pederick (developer of Web Developer Chrome extension) who had tweeted about the compromise of his extension earlier this month.
These compromised Chrome extensions means that users who have installed these extensions could risk seeing their traffic hijacked or their account credentials stolen.
Or the compromised extensions try to trick users into clicking on “repair” programs that redirect them to programs from which the hackers profit financially.
“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users,” concluded Proofpoint. “In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.”
And they warned of the dangers posed once a developer’s details are compromised.
“Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions,” Proofpoint warned. “In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.”
This is not the first time that Google Extensions have had security issues.
In 2014 for example, Google was forced to pull two extensions for its Chrome browser following claims from users that the add-ons were spamming them with unwanted advertisements.
The two extensions, “Add to Feedly” and “Tweet This Page”, were apparently updated covertly to include extra code that served unwanted ads.
And then in 2015, ScrapeSentry discovered a malicious Google Chrome extension masquerading as a screenshot application, that was sending the browsing information of up to 1.2 million users to an IP address in the USA.
After axing 31 percent of its workforce when it failed to be acquired by Amazon,…
Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…
Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…
New AI assurance platform from UK government will help businesses ensure they can safely develop…
Protecting kids? Australian government confirms plan to implement restriction on social media for children under…
Canada ordered China's TikTok business in the country to be dissolved over national security risks,…