108 Chrome extensions caught stealing user data

A hidden network of malicious browser tools has slipped into one of the internet’s most trusted marketplaces, raising fresh concerns about how secure everyday browsing really is. Security researchers have discovered more than 100 Chrome extensions which operate to collect confidential user information without detection.

Cybersecurity firm Socket discovered 108 malicious extensions inside the Chrome Web Store, which included extensions from gaming tools and translation services and social media enhancers. Users expected to find certain features within these tools which appeared to work properly.

Through these extensions, people were stealing personal information from others without their knowledge. At least 54 extensions collected emails, profile details, and Google account identifiers, while others intercepted authentication tokens that could allow attackers to access accounts without passwords.

The most alarming discovery involved extensions targeting Telegram users. Some tools were found extracting Telegram Web session data every 15 seconds, effectively giving attackers continuous access to private conversations.

Dozens of extensions installed dangerous software onto websites while they changed browser protection features and sent users to undesired material. The infected devices contained 45 backdoor functions which allowed operators to control the system and access any website through remote commands.

The investigators tracked the extensions back to one command-and-control infrastructure because they discovered that the extensions had been published under multiple developer profiles. The operation functions as a Russian malware-as-a-service operation according to code patterns, although no specific group has been confirmed.

The campaign demonstrates a large operational scope. Researchers estimate the extensions have already been installed more than 20000 times, which enables their potential impact to reach users throughout the world.

The flagged extensions remain operational in the store despite takedown requests which have been made. Users must take action themselves because they have no protection from this situation.

Experts recommend that users should first check their installed extensions at once and then remove any unknown extensions, while they should only grant necessary access permissions.