Four of Google Chrome’s most popular extensions, which have amassed more than 500,000 downloads in total, are thought to be malicious.
According to ArsTechnica, Google has since banned the extensions from the Chrome Web Store, but they reveal weaknesses in what many see as the most security-conscious browser.
Researchers at cyber security company ICEBRG noticed the dodgy extensions when they came across a sudden traffic spike. It came from a customer workstation and got the alarm bells ringing.
After analysing the suspicious spike, they attributed it to a Chrome extension called HTTP Request Header. Without users knowing, it distributed an infection that got computers to access advertising web links.
“While reviewing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG’s Security Research Team (SRT) utilized the targeted packet capture capability of the ICEBRG platform to collect traffic destined to the external IP, 109.206.161[.]14,” said the researchers.
The security bods then found another three malware-ridden Chrome extensions, which were called Nyoogle, Stickies and Lite Bookmarks. They worked in similar way to the the first extension, said the researchers.
Iceberg believes that fraudsters were using the extensions in a scam to make quick cash from automating per-click rewards. But the crooks could easily have used them to get access to personal and business data.
“In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed,” explained the specialists
“In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks.”
Upon discovering the extensions, ICEBRG contacted Google, which has removed them from the browser. The company also wrote to the Netherlands’ National Cyber Security Centre and US CERT.
“Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP).”