Chrome browser extensions are beautiful things. They can translate pages, help you manage your passwords and even get rid of unpleasant words. However, they’re also prime vectors for all kinds of unpleasant malicious code.
Usually, it’s easy enough to sort out genuine Chrome extensions from their shady brethren, but what happens when good plugins go bad? At least eight Chrome extension developers have fallen prey to phishing schemes, had their Chrome developer accounts hijacked and their extensions altered. Their once-legitimate Chrome extensions now threaten millions of people, and it's likely more Chrome extension hijacks will come to light.
The French security researcher known only as “Kafeine” discovered six new compromised extensions, adding to two more discovered earlier this month, and shared his findings on the Proofpoint website Monday (Aug. 14). The six otherwise-helpful Chrome extensions are currently spamming users with malicious popups and redirected advertisements, and it’s likely that all eight developers fell for the same phishing scheme.
First things first: If you have one of the corrupted extensions, you should uninstall or disable it right away. (However, you should also bookmark the developer’s homepage, blog or Twitter account so that you know when it’s safe to reinstall.) It doesn't matter if you're using Windows, macOS or Linux, as Chrome extensions are generally platform-independent.
The version numbers for four of the compromised extensions are as follows:
- Chrometana 1.1.3
- Infinity New Tab 3.12.3
- Web Paint 1.2.1
- Social Fixer 20.1.1
Two more extensions appear to have been compromised at the end of June, but the exact version numbers of the corrupted code are unverified:
- TouchVPN [current version 1.5.12, last updated June 25]
- Betternet VPN [current 4.4.5, last updated July 6]
Bleeping Computer estimates that almost 5 million people may be at risk from these extensions.
Two additional apps, Copyfish and Web Developer, fell prey to the exact same method of hijacking earlier this month. However, those two apps have since been updated, and should be safe to use once again.
The corrupted Chrome extensions are not dangerous in and of themselves, but use them long enough, and they can almost certainly compromise your computer.
Rather than infecting systems themselves, the extensions redirect users to malicious websites that can do it for them. The compromised extensions spam users with popups, which exhort them to click on harmful sites. Furthermore, they replace legitimate advertisements with ones that have much more unscrupulous destinations.
As for how the extensions became corrupted in the first place, it’s a surprisingly simple story: The developers got phished. The men and women behind the Chrome extensions received extremely convincing emails from a Google lookalike, explaining that they had to log into their Google developer accounts immediately or risk losing valuable assets. The link and email address both looked convincing, and the message did not contain any spelling or grammatical errors.
Once the developers "logged in," the attackers had their Google developer-account username and passwords. From there, the attackers changed the code of the developers' extensions and pushed out updates.
The lesson here is not "don’t use Google Chrome Extensions," since they’re generally helpful, reliable bits of software. Instead, perhaps, users may want to follow their favorite extension developers on Twitter to be notified of potential security breaches like this one ASAP. Keeping extensions up to date (which Chrome does automatically by default) and having a reliable antivirus program installed never hurt, either.