This post was originally published on March 3, 2020.
Security researchers at a division of Cisco said last week that they had uncovered 71 extensions in the Chrome Web Store that had covertly uploaded the personal data of millions of unsuspecting users to private servers controlled by a malicious group.
Independent researcher Jamila Kaya and Duo Security employee Jacob Rickerd worked together to identify the offending apps. The team discovered that the bad actors utilized security loopholes in advertising cookies to evade detection and convince users that the apps were vanilla ad-based services.
The researchers added that the offending extensions had been around since at least January 2019, with a flood of activity between March and June of last year. It’s possible, they conceded, that the hackers could have been in operation as far back as 2017.
There is no way of estimating how many data points were transferred over to the prying eyes, but the extensions in question had 1.7 million users cumulatively.
After the internet sleuths privately reported their findings to Google, the Mountain View-based company used their tactics to identify 430 additional extensions that shared almost identical source code and expelled the lot from its web store.
Malicious extensions disguised within ads and redirects
Legitimate freemium apps use a complex web of redirects and advertising cookies to serve users but also make a quick buck on the side through location tracking. This network of 500 apps utilized similar protocols to trick Google and gain entrance into the web store, but once installed, forced redirects to a plethora of phishing sites where the malicious code sprung into action.
The researchers noted that the technique, referred to as “malvertising,” is an increasingly common attack vector and may also be utilized to generate high volumes of bot web traffic to siphon cash from programmatic ad platforms.
Malvertising can act “as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation,” was the sobering assessment.
Chrome extensions are a chink in the security chain
Less than a year ago, independent security researcher Sam Jadali lifted the lid on the security loophole DataSpii, brought to life by web analytics company Nacho Analytics. The data-scraping upstart brashly proclaimed itself as “God Mode for the internet,” confidently expressing that users could “learn the secrets of the best in the world.”
An investigation into DataSpii by Google revealed that over 4.1 million users were affected by the spying network.
DataSpii masked itself as a series of legitimate Chrome extensions that collected all the URLs, webpage titles, and the hyperlinks that their users visited. Much to his horror, Sam concluded that DataSpii extensions were able to extract information on tax returns, presentation slides, Messenger attachments, private Facebook photos, vehicle identification numbers, and more.
Among the companies affected included security firms like FireEye, health providers AthenaHealth, Pfizer, and Roche, as well as TMobile, Under Armour, and Blue Origin.
What can I do to protect myself?
While these offending extensions are no longer on user devices, there’s more than a fair chance of similar zero-day vulnerabilities in the wild. Security best practices dictate that you start by refraining from installing extensions that have little or no ratings.
One perplexing characteristic of the discussed extensions was that, despite over a million and a half downloads, most of them had just a handful of reviews. That’s not a prudent approach for end-users.
Additional steps you can take is to stop yourself from installing extensions willy-nilly. Read each extension’s description and see if it will genuinely benefit you. If you already have many of them on your browser, it’s probably a good idea that you take a few minutes to audit them carefully.
If some of them have been idle for a while, go ahead and click uninstall. You probably don’t need them anyway.
A further step is the extension of Google’s bug bounty program. This new initiative, called the Developer Data Protection Reward Program, will offer incentivized cash rewards for those who uncover extensions that don’t play by the rules.