Google Extensions Stealing Users Data

What’s the first thing you do when you want to search for anything?

Most of the time you open your google browser. But what if you find out that the extensions you were using in your google chrome were stealing your data for so many years.

This week Cisco’s Duo Security team found out an issue with the chrome’s extensions they said: “Browser extensions have been known as a weak point for individual security and privacy due to their potential for misuse under the general guise of helpful applications. In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to risk of exploits through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

Google has pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising after installing themselves on the computers of millions of users.

Users were being inadvertently redirected to ads, in order for the developers behind the extensions to take a cut of that traffic. In interviews with impacted users, most reported being unaware of any obvious impacts on their browsing experience.

This is not the first time data-stealing extensions have been discovered on the Chrome browser. Last July, security researcher Sam Jadali and The Washington Post uncovered a massive data leak called DataSpii (pronounced data-spy) perpetrated by shady Chrome and Firefox extensions installed on as many four million users’ browsers.

Mozilla’s Firefox has experienced the same issue on a smaller scale to the extent that it recently banned 197 risky extensions and reminded everyone that it no longer tolerates extensions that execute remote code.

 Anyone using one of the now-suspended 500 extensions will find they’ve automatically been deactivated in their browser, with warnings that mark them as malicious. De-installation must be done from the user’s side, however. The lesson is not to assume that because an extension is hosted from an official web store that means it is safe to use.

Recommendations:

It is recommended to:

  • Install as few extensions as possible and, despite the above, only from official web stores.
  • Check the reviews and feedback from others who have installed the extension.
  • Pay attention to the developer’s reputation and how responsive they are to questions and how frequently they post version updates.

Study the permissions they ask for (in Chrome, Settings -> Extensions -> Details) and check they’re in line with the features of the extension. And if these permissions change, be suspicious.