Google Chrome vulnerability provides a backdoor to spy on millions

A rudimentary issue and a malicious extension can cause a headache

Google Chrome extensions downloaded 32 million times have secretly been siphoning off users’ web history and login credentials. The vulnerability, which was first reported on by Reuters and discovered by threat researchers Awake Security, has been described as the farthest-reaching attack launched through the Chrome store to date.

The vulnerability targeted the gullibility of a number of users who downloaded browser extensions designed to convert files from one medium to another, or to warn web browsers about potentially dangerous files they encountered online. Instead, they were fronts that acted as spyware, tracking a user’s browsing habits, including which sites they visited, and also recording their logins.

The dodgy browser extensions were downloaded up to 32 million times, according to the researchers, who gleaned the information from data provided by Google’s own Chrome store. The full list of domains and extensions can be found here.

‘A massive global surveillance campaign’

The campaign is a giant dragnet, say the researchers, rather than a targeted attempt to gather information. It is “a massive global surveillance campaign exploiting the nature of internet domain registration and browser capabilities to spy on and steal data from users across multiple geographies and industry segments,” they say.

The extensions, 70 of which were removed by Google from the Chrome store after the researchers made them aware of the issue, worked by pushing data out to illegitimate servers, all while avoiding the usual means of detection that would highlight them as malicious software by anti-virus scanners. The attack seems to have been targeted at home users; according to the researchers, it doesn’t work on corporate networks – and doesn’t even try to.

According to the researchers, one single internet domain registrar is responsible for hosting many of the domains through which the data passed. Of more than 26,000 domain names reachable that were registered through GalComm, almost six in 10 are malicious or suspicious, Awake Security claims.

There is no suggestion GalComm has any knowledge of, or anything to do with, the malicious browser extensions. GalComm’s owner, Moshe Fogel, told Reuters: ““Galcomm is not involved, and not in complicity with any malicious activity whatsoever.” He added that they will cooperate with law enforcement “to prevent as much as we can,” and that the company was undertaking its own investigation.

Browser extensions are common vectors of attack

Malicious browser extensions are not new ways of trying to siphon off data, even if the sheer scale of the information being captured is unique in this case. Researchers in February discovered a similar issue with Chrome extensions that it claimed siphoned off data from 1.7 million users. Google later also found 500 further fraudulent domains.

But with browser extensions becoming ever more powerful and vital in our day-to-day browsing lives, they are potentially a high-reward way for hackers to try and gain access to our data. We use extensions to block ads, connect other services, convert files and even collaboratively watch Netflix these days.

A number of extensions ask for overly broad permissions from their users, including the ability to access web history – which can tell you a lot about a person and their browsing habits. Launching attacks against Chrome that take advantage of its vulnerabilities is a logical conclusion for hackers: nearly seven in 10 people browsing the internet at any one time are doing so using Chrome.

But users should become more suspicious of the browser extensions they use, and the kinds of permissions they grant to the extensions. Constantly monitoring the installation of browser extensions, and what they do, as well as what permissions you give them, is a logical way to try and mitigate the risk of falling victim to such attacks.