Three malicious browser extensions on Google Chrome were posing as VPN applications and managed to infect 1.5 million users before they were discovered by researchers at ReasonLabs and taken down by Google
Discover our latest podcast
The extensions were well designed as they did offer VPN functionality and even subscription tiers. This allowed them to avoid detection while they were able to abuse offscreen permissions to run scripts that gave them access to the user's browser functionality. This exploit allowed the hackers to steal sensitive data, gain control over the browser, redirect web requests and manipulate other downloaded extensions.
The points of attack
The hackers had many points of attack through these applications as they could target extensions directly, specifically extensions that dealt with cash-back or rewards and managed to siphon the profits. According to ReasonLabs:
they targeted over 100 legitimate cash-back extensions including Avast SafePrice, AVG SafePrice, Honey: Automatic Coupons & Rewards, LetyShops, Megabonus, AliRadar Shopping Assistant, Yandex.Market Adviser, ChinaHelper, and Backlit.
This discovery highlights a massive security issue with web extensions as they make it hard to understand what permissions they require and how deep their offscreen functionality reaches. It is important to understand that, due to the size of Chrome’s web store and the immense number of extensions on there, it is impossible for the tech giant to canvas and ensure that all the apps are safe especially since independent developers can easily create and upload extensions for all types of use cases.
Browsers are vulnerable
Browsers carry a great deal of sensitive data, from banking information to names, addresses and log-ins to all types of confidential accounts. It is important to understand that protecting your privacy means carefully selecting what you interact with online. New malware is being developed each day and giant tech companies with advanced security measures fall victim to cyberattacks more frequently than ever. As such it is not only essential that private users have security measures of their own but also understand the level of vulnerability they risk when being careless with what they allow on their systems.
Read more:
⋙ 23andME: Millions of users' personal data leaked in cyber attack
⋙ Data privacy: Your car is harvesting information about you
⋙ Android users: This tiny dot on your phone is a huge privacy breach
Source:
Techspot: Three malicious VPN extensions on the Chrome Web Store infected 1.5 million devices before being removed by Google
