Is Your Browser Spying? Chrome Extensions With Hidden Trackers Exposed
Everyone knows (or should know) that the safest way to handle browser extensions is to make sure you're getting them from a trusted, reliable source. That alone isn't enough to ensure you want fall prey to hackers, though. Proving otherwise, dozens of extensions on the Chrome Web Store have been found to pose a security and privacy threat over the presence of hidden tracking code.
The total number of affected extensions tally 57 and collectively, they have amassed nearly 6 million installations. Some of them are more popular than others. The ones with the most installations—200,000 or more—including the following...
- Cuponomia – Coupon and Cashback: 700,000
- Fire Shield Extension Protection: 300,000
- Total Safety for Chrome: 300,000
- Protecto for Chrome: 200,000
- Browser WatchDog for Chrome: 200,000
- Securify for Chrome: 200,000
- Browser Checkup for Chrome by Doctor: 200,000
- Choose Your Chrome Tools: 200,000
The sinister nature of these and dozens of other extensions that are part of the group was highlighted by Secure Annex researcher John Tucker. As Tucker points out in a blog post on the topic, most of the extensions are unlisted.
That in and of itself can serve as a red flag, though it doesn't necessarily mean the extension is up to no good. Unlisted extensions don't get indexed by search engines so you won't find them with a simple lookup query. They also don't show up when searching the Chrome Web Store, and so the only way to access them is with a direct link.
Tucker says that one of the first extensions he looked at was Fire Shield Extension Protection, an unlisted extension with 300,000 installations and a 2.2 user rating. It's ostensibly designed to check your extensions and break them down by the permissions they use, and then alert the user if it finds anything suspicious.
Sounds helpful, but according to Tucker, the extension's permissions are "overly broad" and "heavily obfuscated" in code. These permissions allow the extension to access cookies and track a user's browser behavior, modify search providers and the subsequent search results, inject and execute remote scrips on visited pages (via iFrames), and more.
It and several other extensions were also found to reference the domain unkonw.com, which triggered an alarm bell in Tucker's head.
"While I could not find an instance of the extension exfiltrating credentials, this level of obfuscation, the ability for the extension’s configuration to be remotely controlled, these patterns being seen across many different extensions, and the capabilities in the browser extension’s code is enough for me to come to the same conclusion that all of these extensions are a family of spyware or infostealers. That is ultimately the problem and threat these extension pose when they can be controlled remotely," Tucker states.
You can check out his blog post for more technical details (as spotted by Bleeping Computer, which heard from Google that it's investigating the matter). Additionally, he posted a full list of affected extensions in a Google Spreasheet. Be sure to check that out and if you're running any of the ones on the list, do yourself a solid and nuke it.
