In general terms, the compromised extension first checks to ensure that the Chrome Extension has been installed for 10 minutes using the following line of code: We retrieved the compromised version and isolated the injected code.įigure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromisedįigure 3: Snippet of the inserted code in content.js from the compromised version of Web Developer 0.4.9 On August 12 Chris Pederick reported that his Extension, Web Developer for Chrome, had been compromised (Figure 1).įigure 1: Chris Pederick’s tweet from Augregarding the compromise of his Web Developer for Chrome Extension We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June. We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3”, “CopyFish 2.8.5”, “Web Paint 1.2.1”, and “Social Fixer 20.1.1” were modified using the same modus operandi by the same actor. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft. At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme.
Chrome Extensions are a powerful means of adding functionality to the Chrome browser with features ranging from easier posting of content on social media to integrated developer tools.
0 kommentar(er)
