Millions at Risk: Hacked Chrome Extensions Leak Sensitive Data

Your web browser is an ecosystem of its own, storing a plethora of sensitive information such as passwords, search history, financial details like credit card numbers, and personal addresses. Similar to how malicious apps can compromise data on your phone or PC, malicious browser extensions can expose the data stored within your browser. Recently, security researchers discovered a dangerous new campaign targeting browser extensions, with around 36 extensions compromised. This breach has placed over 2.6 million Chrome users at risk of having their browsing data and account credentials exposed.

1. How hackers are targeting browser extensions

Hackers are exploiting browser extensions as a gateway to steal sensitive user data through various methods. These compromised extensions are exposing over 2.6 million users to data exposure and credential theft, as detailed by The Hacker News. One common attack involves phishing campaigns targeting publishers of legitimate extensions on platforms like the Chrome Web Store. In these campaigns, attackers trick developers into granting permissions to malicious applications, which then insert harmful code into popular extensions. This code can steal cookies, access tokens, and other user data.

The first company to bring this campaign to light was cybersecurity firm Cyberhaven. One of their employees fell victim to a phishing attack on December 24, allowing the threat actors to publish a malicious version of the extension. Once these malicious extensions pass the Chrome Web Store’s security review and are published, they become available to millions of users, putting them at risk of data theft. Attackers can use these extensions to exfiltrate browsing data, monitor user activity, and bypass security measures such as two-factor authentication. In some cases, developers themselves may unknowingly include data-gathering code as part of a monetization software development kit (SDK), which stealthily exfiltrates detailed browsing data. This complicates the process of determining whether a compromise is due to a hacking campaign or intentional developer inclusion.

2. Remove these extensions from your web browser

The browser extension security platform Secure Annex has launched its own investigation into this hacking campaign. So far, they have uncovered over twenty additional compromised extensions, which are listed below. If you have any of the compromised extensions listed in Secure Annex’s investigation installed on your browser, it’s essential to remove them immediately to protect your data.

• AI Assistant – ChatGPT and Gemini for Chrome
• Bard AI Chat Extension
• GPT 4 Summary with OpenAI Search
• Copilot AI Assistant for Chrome
• TinaMind AI Assistant
• Wayin AI
• VPNCity
• Internxt VPN
• Vindoz Flex Video Recorder
• VidHelper Video Downloader
• Bookmark Favicon Changer
• Castorus
• Uvoice Reader Mode
• Parrot Talks
• Primus Tackker – online keylogger tool
• AI Shop Buddy
• Sort by Oldest
• Rewards Search Automator
• ChatGPT Assistant – Smart Search
• Keyboard History Recorder
• Email Hunter
• Visual Effects for Google Meet
• Earny – Up to 20% Cash Back
• Cyberhaven security extension V3
• GraphQL Network Inspector
• Vidnoz Flex – Video recorder & Video share
• YesCaptcha assistant
• Proxy SwitchyOmega (V3)
• ChatGPT App Web Mirror
• Hi AI

Keeping these extensions installed is a significant risk as hackers can still access your data even if the malicious version has been taken down from the Chrome Web Store. Secure Annex continues to investigate and has shared a public Google Sheet with details about the malicious extensions they have identified so far, including whether they have been updated or removed. They are also adding new extensions to the list as they discover them.

3. How to remove an extension from Google Chrome

If you have installed any of the above-mentioned extensions on your browser, it is crucial to remove them as soon as possible. To remove an extension from Google Chrome, follow these steps:

1. Open Chrome and click the icon that resembles a puzzle piece. You’ll find it in the top-right corner of the browser.
2. You can now view all the active extensions.
3. Click the three dots icon next to the extension you wish to remove and select Remove from Chrome.
4. Click Remove to confirm.

4. Troubleshooting

If you don’t see some of the items mentioned in the Chrome browser above, be sure to update your Chrome Browser. The “puzzle” piece icon in Chrome represents the Extensions Toolbar Menu, where you can manage your browser extensions. If you don’t see it, consider the following possibilities:

Extensions may be disabled. If you don’t have any extensions installed or they’ve been disabled, the puzzle piece icon might not appear. You can check your extensions by typing chrome://extensions/ in the address bar. The icon might be hidden. Click on the three vertical dots (menu) in the upper-right corner of Chrome, then look for “Extensions” in the dropdown menu. Sometimes, the Extensions Toolbar Menu may be disabled in Chrome’s settings. To check, type chrome://flags/ in the address bar, search for “Extensions Toolbar Menu,” and ensure it’s enabled. If you are using multiple profiles in Chrome, make sure you’re signed into the correct profile that has the extensions installed. If none of these solutions work, you might want to reinstall Chrome or reset your browser settings to their default state.

5. Seven ways to stay safe from malicious software

1. Verify emails and links before clicking: Many attacks begin with phishing emails that impersonate trusted entities like Google Chrome Web Store Developer Support. These emails often create a false sense of urgency, urging you to click on malicious links. Always verify the sender’s email address and avoid clicking on links without double-checking their authenticity. When in doubt, go directly to the official website rather than using a provided link.

2. Use strong antivirus software: Having strong antivirus software is an essential line of defense against malicious software. These tools can detect and block malicious code, even if it has been embedded in browser extensions. The best way to safeguard yourself from malicious links that install malware and potentially access your private information is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

3. Limit extension permissions: Be cautious about the permissions you grant to browser extensions. Many request access to sensitive data like browsing history, cookies, or account information, but not all requests are necessary. Review what each extension asks for and deny permissions that seem excessive. Opt for extensions with limited access if possible, ensuring your data remains protected.

4. Limit the number of extensions: Only install extensions that are genuinely needed and regularly review and uninstall those no longer in use.

5. Keep your browser updated: Always update your browser to the latest version. Updates often include critical security patches that protect against vulnerabilities exploited by malicious software. Using an outdated browser increases the risk of being targeted by attacks that could have been prevented with a simple update. Enable automatic updates to ensure you’re always protected. If you are unsure how to update your browser, check out detailed guides available online.

6. Regularly audit your extensions: Conduct periodic reviews of installed extensions and remove any that are unnecessary or pose potential security risks.

7. Report suspicious extensions: If you encounter a suspicious extension, report it to the official browser extension marketplace.

6. Kurt’s key takeaway

Your web browser serves as a robust ecosystem, housing a myriad of sensitive information such as passwords, search history, financial details, including credit card numbers, and personal addresses. Much like how malicious apps can infiltrate and compromise the data on your phone or PC, harmful browser extensions have the potential to expose the sensitive data stored within your browser. Recently, security researchers uncovered a disturbing new campaign aimed at compromising browser extensions. Alarmingly, approximately 36 extensions have fallen victim to this attack. This breach has left over 2.6 million Chrome users vulnerable to having their browsing data and account credentials exposed. Users of these compromised extensions face significant risks as cybercriminals can exploit these vulnerabilities to gain unauthorized access to personal information. It is essential for users to stay vigilant, regularly update their extensions, and remove any that seem suspicious to mitigate these risks and protect their sensitive data from malicious actors.