Google Chrome Extensions Targeted In ‘Hijacking Spree’

Google Chrome has come under repeated attack in recent weeks via Chrome Extensions, which allow for additional functionality to added to the nrowser.

Ever since 2013, Chrome Extensions have only been available from the Chrome Web Store, after Google disabled the installation of Chrome extensions from third-party websites in an effort to improve security.

But according to Proofpoint, since the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme.

Compromised Extensions

“This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft,” the researchers warned.

It apparently began after the Chrome extension, Copyfish, was compromised after its developer responded to a phishing email – with his Google password. But matters did not stop there, and now more Chrome extensions are apparently no longer safe to use. It seems the hackers used the same attack vector against these other extension developers.

Incidentally, Proofpoint has not identified any extension developers, except for Chris Pederick (developer of Web Developer Chrome extension) who had tweeted about the compromise of his extension earlier this month.

These compromised Chrome extensions means that users who have installed these extensions could risk seeing their traffic hijacked or their account credentials stolen.

Or the compromised extensions try to trick users into clicking on “repair” programs that redirect them to programs from which the hackers profit financially.

“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users,” concluded Proofpoint. “In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.”

And they warned of the dangers posed once a developer’s details are compromised.

“Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions,” Proofpoint warned. “In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.”

Other Attacks

This is not the first time that Google Extensions have had security issues.

In 2014 for example, Google was forced to pull two extensions for its Chrome browser following claims from users that the add-ons were spamming them with unwanted advertisements.

The two extensions, “Add to Feedly” and “Tweet This Page”, were apparently updated covertly to include extra code that served unwanted ads.

And then in 2015, ScrapeSentry discovered a malicious Google Chrome extension masquerading as a screenshot application, that was sending the browsing information of up to 1.2 million users to an IP address in the USA.

Quiz: How much do you know about Google and Alphabet?