In the same way that malicious apps can end up on your phone, your browser and by extension, your computer can be infected after installing a risky extension in Chrome. Likewise, even legitimate extensions can turn malicious when tampered with by hackers.
As reported by The Hacker News, a dangerous new campaign targeting browser extensions has been spotted online. So far, at least 16 extensions have been compromised, with over 600,000 Chrome users now at risk of exposing their browsing data and account credentials online.
Here’s everything you need to know about this new campaign, including a full list of all the compromised extensions so far, along with some tips and tricks on protecting yourself from falling victim to these now malicious Chrome extensions.
From phishing to malicious code injection
The cybersecurity firm Cyberhaven was the first to fall victim after one of its employees was targeted by a phishing attack on Christmas Eve.
To make their initial phishing email more convincing, the hackers behind this campaign made it appear that the message came from Google Chrome Web Store Developer Support. The email tried to instill a sense of urgency by claiming that the company’s extension would soon be removed from the Chrome Web Store due to violating Google’s Developer Program Policies.
From there, the targeted employee was encouraged to click on a link to accept the search giant’s new policies. After doing so, they were redirected to a page that granted permissions to a malicious OAuth app named “Privacy Policy Extension.”
In a blog post, Cyberhaven explained that once the necessary permissions had been granted, the hacker in question then uploaded a malicious Chrome extension to the Chrome Web Store from the company’s account. After undergoing an obligatory security review, it was approved and then available to download for all of Chrome’s 3.45 billion users.
To its credit, Cyberhaven notified all of its customers about the incident on December 26th after removing the compromised extension from the Chrome Web Store. The cybersecurity company is also working with federal law enforcement to help track down the hackers responsible for injecting malicious code into its extension in the first place.
Delete these browser extensions right now
While Cyberhaven was the first, it wasn’t the only company that had its Chrome extension tampered with by hackers. The browser extension security platform Secure Annex is currently conducting its own investigation into the matter, and so far, it has found over twenty more now compromised extension,s which include:
- AI Assistant - ChatGPT and Gemini for Chrome
- Bard AI Chat Extension
- GPT 4 Summary with OpenAI
- Search Copilot AI Assistant for Chrome
- TinaMInd AI Assistant
- Wayin AI
- VPNCity
- Internxt VPN
- Vindoz Flex Video Recorder
- VidHelper Video Downloader
- Bookmark Favicon Changer
- Castorus
- Uvoice
- Reader Mode
- Parrot Talks
- Primus
- Tackker - online keylogger tool
- AI Shop Buddy
- Sort by Oldest
- Rewards Search Automator
- ChatGPT Assistant - Smart Search
- Keyboard History Recorder
- Email Hunter
- Visual Effects for Google Meet
- Earny - Up to 20% Cash Back
Although some of these compromised extensions have now been removed from the Chrome Web Store, if you have any of them installed in your browser, you will need to manually remove them.
You can do this by opening Chrome, clicking on the three-dot menu in the top right corner and heading to Extensions. Once there, select Manage extensions, navigate to the extension you want to remove and then select Remove to uninstall it. Finally, restart Chrome to ensure the offending extension has been fully removed from your browser.
If there are any you absolutely need and rely on during your day-to-day, check back on their store pages later and redownload them once any malicious code injected into them has been removed through a patch.
It’s also worth noting that Secure Annex’s investigation is ongoing. The firm has a spreadsheet (a public Google Sheet) with more information on the malicious extensions it has discovered so far, such as whether they’ve been updated or removed. At the same time, it is adding new malicious extensions to this list as they’re discovered.
How to stay safe from malicious browser extensions
Just like on your phone with malicious apps, the easiest way to avoid falling victim to a malicious browser extension is by limiting the number you have installed. Before installing any new extension, first ask yourself if you really need it. Chances are you probably don’t.
From there, you want to carefully inspect each extension’s listing page on the Chrome Web Store before you install it. Is the developer highly rated? When was the last time they updated their extension? What do the reviews say about this particular extension? From my own experience, Chrome users are very vocal when it comes to saying whether or not an extension really does what its developers say it should in their reviews.
Since even legitimate Chrome extensions can go bad, as we’re seeing in this new campaign, you also want to ensure that all of your computer's software (especially your browser) is up to date. The reason is that hackers love to go after users running outdated software on their machines.
As for staying safe from malicious extensions, you want to ensure you’re using the best antivirus software on your Windows computers and the best Mac antivirus software solutions on your Apple computers. Antivirus software can help if a rogue extension tries to drop malware on your PC. However, for additional protection, it might also be worth investing in the best identity theft protection services since they can help you recover any lost funds and your identity after a more serious attack.
Whether it’s apps or extensions, hackers are going to keep using extra software you install on your phone, computer or even your browser in their attacks. Malicious extensions may not be as common as bad apps. Still, since Chrome controls two-thirds of the global browser market share, according to Statista, Google’s browser is an easy and profitable target for hackers. This means it’s up to you to be extra careful when installing new extensions, even if they seem absolutely harmless at first glance.
