The Chrome Web Store is no stranger to controversy; now it has courted more from Symantec researchers who have found more malicious Chrome extensions on the official Web Store that compromise user security, despite Google’s vetting processes. These extensions have a collective user base of over 100,000 people and use tactics like unauthorized clipboard access, data exfiltration, and the use of command-and-control infrastructure.
Identified threats range from deceptive monetization practices like search hijacking to high-risk activities, including remote code execution and session hijacking. To help keep end users safe, the researchers have reported these extensions to Google and are recommending their complete removal from the Web Store and user devices.
One of the bad extensions that was identified was called Good Tab, which is still available on the Chrome Web Store at the time of writing. The extension uses an insecure HTTP iframe to grant a remote domain full permission to read and write to the user’s clipboard without disclosure. This vulnerability allows attackers to steal sensitive data, such as passwords or swap cryptocurrency wallet addresses during transactions.
Another extension called Children Protection, which no longer seems to be available, functioned as a full command-and-control framework that used a domain generation algorithm to be resilient against server takedowns. The extension was able to harvest browser cookies for session hijacking and executing arbitrary JavaScript pushed from a remote server.
Another troublesome extension was DPS Websafe, which also appears to be gone. This extension engaged in brand impersonation by using Adblock Plus iconography to trick users while hijacking their search queries and tracking user activity. There is also an extension called Stock Informer that contains a critical cross-site scripting vulnerability that allows remote attackers execute code due to a lack of origin checks on messaging events. This extension is also still available.
Users of the mentioned extensions are strongly advised to remove them to mitigate privacy and financial risks. This discovery just reinforces the idea that you cannot trust extensions in the Chrome Web Store even if they look as though they’re verified. The best thing to do is to use no extensions at all, but if you must, only use those you absolutely trust.