- Security researcher finds more than 30 unlisted Google Chrome extensions
- Cumulatively they have more than four million users
- They are potentially hazardous, with a variety of security risks
A cybersecurity researcher from Secure Annex recently discovered more than 30 unlisted browser extensions that put more than four million of its users at different security risks.
In a detailed analysis, researcher John Tuckner explained software developers will sometimes unlist their extensions if they’re not operating properly.
However, he also suggested that malicious actors might unlist them to make it harder for security teams to detect and flag them. After all, these hidden tools cannot easily be found via search engines, or public directories.
Flagging for malicious behavior
“Many companies provide their software through unlisted extensions because it makes it harder for any normal user to find the extension and then hit a wall when it isn’t functional,” he said. “It has also been known as a way to target users to install a malicious extension while being really hard to detect by security teams.”
Some of the extensions Tuckner found, like “Fire Shield Extension Protection,” request excessively broad permissions. These permissions include access to users’ web traffic, stored cookies, and even browser tabs, which opens the doors to the misuse of potentially sensitive data.
“While the management API is requested, so is access to many more permissions that provide the ability to interact with web traffic on all URLs, access cookie storage, manage browser tabs, and execute scripts!,” Tuckner explained.
Secure Annex’s analysis flagged these extensions for potentially malicious behavior, such as accessing stored cookies, or matching signatures associated with known malware. The researcher suggested users remove these unlisted extensions, since their hidden and overly intrusive nature creates unnecessary vulnerabilities.
Fortunately, Tuckner did not find any extensions stealing login credentials or payment information.
However, he stressed that this level of obfuscation for software that can be remotely controlled could mean it can be used as an infostealer. “That is ultimately the problem and threat these extensions pose when they can be controlled remotely.”
We have reached out to Google for comment.
Via Ars Technica
Leave a comment