Skip to main content

Around 1.7 Million Users Data were stolen by 500 Chrome Extensions!!

chrome extensions

Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers.

These extensions were part of a malvertising and ad-fraud campaign that's been operating at least since January 2019, although evidence points out the possibility that the actor behind the scheme may have been active since 2017.

The findings come as part of a joint investigation by security researcher Jamila Kaya and Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with over 1.7 million installations.

Upon sharing the discovery privately with Google, the company went on to identify 430 more problematic browser extensions, all of which have since been deactivated.

"The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms," said Kaya and Duo Security's Jacob Rickerd in the report.

A Well-Concealed Malvertising Campaign


Using Duo Security's Chrome extension security assessment tool — called CRXcavator — the researchers were able to ascertain that the browser plugins operated by surreptitiously connecting the browser clients to an attacker-controlled command-and-control (C2) server that made it possible to exfiltrate private browsing data without the users' knowledge.

The extensions, which functioned under the guise of promotions and advertising services, had near-identical source code but differed in the names of the functions, thereby evading Chrome Web Store detection mechanisms.

Chrome Extensions

In addition to requesting extensive permissions that granted the plugins access to clipboard and all the cookies stored locally in the browser, they periodically connected to a domain that shared the same name as the plugin (e.g., Mapstrekcom, ArcadeYumcom) to check for instructions on getting themselves uninstalled from the browser.


Upon making initial contact with the site, the plugins subsequently established contact with a hard-coded C2 domain — e.g., DTSINCEcom — to await further commands, the locations to upload user data, and receive updated lists of malicious ads and redirect domains, which subsequently redirected users' browsing sessions to a mix of legitimate and phishing sites.

"A large portion of these are benign ad streams, leading to ads such as Macy's, Dell, or Best Buy," the report found. "Some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site."

Beware of Data-Stealing Browser Extensions


This is not the first time data-stealing extensions have been discovered on the Chrome browser. Last July, security researcher Sam Jadali and The Washington Post uncovered a massive data leak called DataSpii (pronounced data-spy) perpetrated by shady Chrome and Firefox extensions installed on as many four million users' browsers.

These add-ons collected browsing activity — including personally identifiable information — and shared it with an unnamed third-party data broker that passed it on to an analytics firm called Nacho Analytics (now shut down), which then sold the collected data to its subscription members in near real-time.

In response, Google began requiring extensions to only request access to the "least amount of data" starting October 15, 2019, banning any extensions that don't have a privacy policy and gather data on users' browsing habits.

For now, the same rule of caution applies: review your extension permissions, consider uninstalling extensions you rarely use or switch to other software alternatives that don't require invasive access to your browser activity.

Source : The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...