Google Chrome users will be shocked to discover that their private web history could now be in the hands of cyber criminals. This distressing discovery was made by the research team at Awake Security who found that over 70 extensions available on the Chrome Web Store were filled with nasty spyware which could infiltrate the world’s most popular web browser.
After revealing their findings to Google last month, the US technology immediately deleted the add-ons but not before they were downloaded over 30 million times by Chrome fans.
Speaking exclusively to Reuters, Google’s Scott Westover said: “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”
Many of these free extensions pretended to offer security alerts when visiting websites or downloading files online. However, their real purpose was to infect the Chrome browser and allow attackers to steal data such as browsing history.
It’s a serious breach and according to Awake co-founder Gary Golomb it could be the most far-reaching malicious Chrome store campaign to date. This is due to the sheer volume of people that downloaded the malicious add-ons.
“To date, there have been at least 32,962,951 downloads of these malicious extensions – and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020. For context, very few extensions have been downloaded more than 10 million times,” said Golomb.
It’s currently unclear who was behind the attack but it seems the threat was sophisticated enough to avoid detection by antivirus companies. It’s also clearly worrying that these add-ons were available on the official Chrome Store as most users believe that this is safe place to download extensions.
Speaking about the attack Jake Moore, Cybersecurity Specialist at ESET: “Browser extensions can be extremely useful and come with thousands of benefits – but you should remain cautious when you download anything to your machine. Being vigilant about extensions usually means reading the reviews but, in many cases, this still won’t be enough as some may not be legitimate especially as most browser extensions are free.
“There are, however, ways to stay more careful when downloading third party extensions. Usually, they will ask for permissions to be granted for access to data or other information on your machine, which I recommend you don’t give. Google can’t ever guarantee 100% security on all of their third party add-ons so you must be careful.”
Published at Fri, 19 Jun 2020 05:42:00 +0000